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IT lit #^>^ 65 it*& 64 ^ >R #. « JR. « i^*t # >^ 4*- ftO ^ >^ 
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¥t^^, ii#^^^JI.4^1^««:# ( David Aucsmith ^/^^ 
Proceedings of the 1996 Intel Software Developer's Conference Ji4Il4L 
"Tamper Resistant Software: An Implementation" ). 

^^PC60l^>f. 

^, ni^^^^itiL^^^:^^ n^^i^^^x^^^^^^-^ (OS) 

^ ^ PC 6^ OS ^&j*-il^*r4i^^m«^^ 

^ir*^ OSia.itifmxt>?f^*l&6*#*t*#^>«t^ CPU 
f-SWi^&^^i^a^ C^**: CPU «JS-«i&^ 
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OS A^».4f CPU iN-fiI^fc^fr»'4'l*^i3I^iE.6^#*t. ^^^^-a, 
i&TJft CPU ^ge.#|3I, OS A^^ii^Hfsi^m^t:^J^^M.Jn^^ 

tfeiiT ^^*r Jtll.>j5E-.^ ffi fi^^^t i^. 

^*»: Hampson, ^ 4, 847, 902 ^H:® Hartman, 
1^ 5,224, 166 -f-^@^#'J. Davis, ^ 5, 806, 706 ^J|® ^^!l>Talaihashi 
^, ^ 5, 825, 878 Jl: a *J . Buer 6, 003, 117 -^Jl: S , 

^ 11-282667 ^ B;*^4i>^^jf'3 ( 1999)). iffe^S. 

Intel :?^iL6^ X86 ^4^fi^#lit^^ ( Hartman, ^ 5, 224, 
166 ^Am^^] ) ;€-#ii.it^m*L^fi^^49 Kx ^^n^^^mst4f 

^'j^^i8^y^$'JittS»ft65#^^-^ Ks ^;6L6^/>f^W^ Kp, 
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$fc*t*^&tfc, ^ 5, 224466 -?-JI:9^^JilL^, ^m.^^^if^'K 
«:^^t:f; i^-^^ OS T 64 a& Ife. itA^'i- OS T)5t i&«S-«:*^*t.*J 
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— ##0t*L;^, I? 11 - 282667 ( 1999 ) B J^^ii^^^M t 
^-ii^^T-#^^. ^^^^^l^^^.J^^^^^^'t^^^^ CPU 

^^^.^J-^^-fi. jifc^>KjK«:^*»^e5rjLi^->h CPU i^ie^fi^r 

it^y Jtk^ 5, 123, 045 -f-|lL@4-*lt. Ostrovsky f-A^^^T- 
J5t^#6^ ^#^5'J ^ ib^4- ^ ^ 1*1 6^ i5 - 4- if. M., ^52. 

6*#i&>^^j^^t«i^4^*'^6**'&^^^^^ ^-Wdb.: 5, 224,166 
Am^^]^f^ 11-282667 -f- a ;*^''>:fl-^^'Jt^> ^it^itmn 
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fi:.f^^A-n^A±^ 5, 224,166 "^ikm^^l^^if-m^i^^^i^J^ 
;*^iL ^ fi* 1^ ^ >^ B 6t A4«.>»- # T « jt Jiitit* E « 4 'li 

■^r « ^ ^^^^ ^ 4S-ife«*t.^N . 
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/v-¥^iG(«*»: TLB). m't^m.^f^i^^nW^i^i^^J^^^ 
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i . — ::*::::." • • 

: : : • : :H" • • *--» 

m 12 3^^6^«:At3E|&l^^#*^4gtl&;*«»^^lJfi&^iSit 
m 13-^lb*©3fi§«:A«2lifc#l«5i4i^^rt^«'Jfi^*ta*45fca®. 

ilit^t^^ 2102, #9#i&l^«^«:*tail 2101 

^^5il^>?|->i»#2103. 

1^4^, -j5E.jIt.^:afei»!lt. 4a.*hiSS2101 2111, 
^4^*1##.>G 2112, ^4-i^^^2113, ^^^^^m^^^^llU. ^ 
#^^^#»2115, ^*§^Afit^*tfe*2116, />*^^^>?^^2117, 
BIU ( Ji>^^X3S(L7t) 2118, S.?t^>?l-I& 2119, ^i^^^^^l^ 2120, 
2121, If ^^^tfe* 2122 «Ja.«irW4i'*^^#4!-|& 2123. 

if^'ft^.tt (OS) ^M.m^^^^^, m.^^^i^'^m^mn^-^^ 
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(1) i^>^'&j^4f*s^#fi^''>*^^ Kx, nm^misc^^f^^^ 

Ks. *J^:it4-a^T«^ib''>^^^. 

^Hfi^^y^. ^X^^^m 1 ^® 2^^6^'j|'l*S^fie., CPU 
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2202 ^ 2204, * t & 2202 ^ 2204 ^ ^ iLS.^, 
i7&&J^2203Mr>i^EJ%. EJ^ 2205 ^#«Fi^EJ% 2203 N-&^«0t4» 

i^>^6^lft.'ff. ^4^4ft.##-/C 2112 ^^.-ffj^t^^^J X 6^:^14-, 

BIU 2118. itit^^^ 2102 ^JjLJfcAh x ##i*.it x 

64 BIU 2118 m,BiW4-m.^n^ 2113, ^J&iaf«1^4-|fc##-iC. 2112 

#.#i^^4-. *i^#^iS.^jaSI^'?|-»3t# 2111. 

2103 Ji**A*k«&^/^lIt, #***t*:iS.iaiS«| BIU 2118, 
AitjgL BIU 2118 Ifr Jlj ^ 2102, iS^J&^-i^^^iit^^/^K^^. 

^4-^?tS 2113 ^^r-J^^^^I^^^^^^-**^:!:. #JL^J.#« 
S 2103 j4.#'14ifci**IS-^4S4-^H'S 2103 64^*xtj^64#4-. 

execenc keyaddr 
>^Ejtti#^B^?g^^t4i^^^>^*'#^^. 2203 
A^i^^itm-^^f^^^^^-^^ Kx. *1^«.^Ti^#^^#*. ^« 
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>4#^EJ^2205. "keyaddr" ^^Ei*. 2205 6^15 ifc At. 

f^AY^^M^^^I^^ Kp^A^ Ks, ii^ 

^St Ks, iSL—fL:^^^m^i^^^fiS:M-i^Mr> -^E.*tiffi^ft^. t^l^ 
^^^■^ik^^:^^^^^ Ks. At«ST«-^trt-^«f^ Kx, iJ6:f^ 
-fit^J^^^it Ks, iJ&JLikfciSSIi^T^^J^ Kx JH'^'l^^^^at^Af^^ 

2205 «tl^ig-#i&ia:«-^A^']ASS604t4^ift.##->t 2112. 
^4^|fc;ff J^it 2112 :WPifc«:|& ,[Kxliii^J-'>:?f#^«f 2114. 
iiitifJ^^^t^^^-f-JS-IJ 2115#^*S#**, xi-*tS3&'^-«^#§^ 
^ Ks E w p(Kxllt# Kx. ##'g-?!-#^»J4S*^^^^IJ2117. ^fe 

2115 ^^^^-^^-i^^ 2117 

-^-^^i^lS^^S 2117, Mj&*h«JJiat>^*»^^4-#.#4^^. S*fcSL» 
^i^Axi^^-^^-fr^fc^lH-. #;yLi#^» 2103 BIU2118 
^fJ/>^?^^#F^^&fife*: 2116, :l^*3«^^*-^fc.4S*W^##S 2117 

H^i^^^^f^t^ni^^. i*;&#'e>?^#^m4^^H' 112113. 

if'Jffllt^ Kx itc^^ifim-J^^^^^^^^^^^'^^^^ 2113, ^fe^ifc 
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H 2113 64 ^¥iil^^^:^, #JLsl#'a3fc# 16 ^^.'hfi^W^ 

exitenc 

* 2116 ¥tm^/k^^um 2103 i*j&*ha#iiw»«i:#s 

T I? ^ T If:*^ ;a «^ *6 iJ^ 4r 

jlfcAtSSfi^^-ff-Slit^ 2111 32 >hii.^^4|-S ( RO J. R31). 

R31 m^n^i^^n. ^m.m'^^^^^^^^n^^n^i^ 2111. 

-^^^^^^ 2123. 
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OS i^^il*'&*»5lr^^. 

^tALm.m.^^'di -cont" (aii*) "conf ^4-1*. 

^ S it >fr 21 11 ^ ^ # I& 2117 ^ J5«l ft Jl' ^ 2119 

«^ 2123 d^rtJg:. ^^>f^S:«L# 2111 

rt-^^^^^^^itS, @it5i.it«-^^ii.^5>J t«t*»^^>^4ft.^fi^,^, 

■iri5i^ffi>MLir->h'';i^-*-^4«^'«i-s 2123 ftit.«&*t<t.. ^^Jt^^n 

2119 fiOF^^^^, JLi*^, «iB^;f:|:tfe:t3ft5i->h>'>*^-^^'«l-|^2123. 

•savereg" ( ) ^4^^ i'^^H'^'i^l^ 2119 i^fy^^^^l 
ifc "savereg' ^4-iit^^i&dt.»TJ»ie.4r^: 

savereg dest 

:H-JL«lt4-*5r— "dcsf. ife-f^ifc "dest" ^^^^ML 

J&tb "savereg- ^4-9t. i|.it«^^^#-^t4i-^^^ 2120 
ft6^*hiS^''>^^4g Kp, iN^io^^fr^J*: 2121 ^^.^^^^ 2119 

2123 #5t^t BIU2118 

in^^H^^^n 2103 f»3* "dest" *i.^6§ifc*t. M.^^^ 2103 |t 
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-^t^#J&^*tt*r>^^^>^at, OS "rcvrreg' ( «. 

rcvrrdg addr 

#JLia^4-*^->h^#«: -addr", ««t#lt «addr- -fti^^:^ 

JLtlj "rcvrreg" #t4-^4-Bt, ^ *kiS^ BIU 2118, "addr" 

it-ft-^^a^fr^^^^^ Ks X^-'gii^J^t, ^J&^^>?|-$:t# 2111 
l^-l^^a.^r-il^^t^. fl&^-'^^i^^^'H-l^ 2117 

OS ^^6^3^:^. 
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Jli^^H^^^^mr 2119. i^^. "rcvrrcg" "savereg" 

^4-:?rSfc;t.^h6^>^^^^*J^::FlltarH^^#^^ 2119 
49^^^2123, ^'^m-^:fmt^'^^'^in^^^. 

2119, mit^^X^^^t^^^J^^^U^^, i«rTR^jt^^*« 
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(RO J.R31) 6*#t^J^4^^*-^ Kx#^*^^ig«^|^^*:. 

-^LA^ife-wt. ^f'^m^'t Intel /-^^./a** 

Pentium Pro ^^3g^^*ifi^*^+|-|5L. iJf.fl^#.#;*^it»>«fl^«:*kff S, 
'(a^;t^i^L'!g#:fi>^l^i^jtt.#^i*'l^. >^E.«T6O-0LB>«t» ^"Sim Pentium 

^ji^, Pentium Pro ^^J«t*A^i5I*I^T^#*fe.jaL, tif}^ 
^: iftJSLJfcAt, i*#.JfcJtf:i':t;8LI£#ifca:, ^a^^^tifc^^^^N t# Pentium 
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«fc^tti£ll 101 AbiS||*t'« 111. ^4- TLB( ^^M.H' g ) 121, 

^^•f^hig-^Tt 131. ^#TLB(^;^^^|'|I) 141, — iBLi^i|.^# 152. 

*hiSi&^'^^ 111 ^k^^^^xj^jt 112, f^;^j^*t#*»#/«f^^a^ 

>b 113, —^^^m,^ 114 «2L4l4^^fc#^>G 115. ^4-|^#^7G 115 
iat— &4^^4-|lJpt-/jjf Ji%:^it 214. 215> ^4-4fc###t#-iG 216 

iSlX^4-|lt#^jil#^X. 217. 

:^f-*a#^ic 131 at— 253, -LTitlt^*'^/ 
J^^#-it.254, #1|-*ta#.ie. 255, i^lt«:**<tiF4^aJ^>C. 256 ia>8L^ 
^^^^^^^^iS-^yt 257, 

^4- TLB 121 ii-#&fe?l^^JtS 230, 4fc^^)Sf 
H'^ 231 i24;SL^^#-iG 232. TLB 141 i^— # fefe^^T^Lf-^^^^ 

Km 233. 

ia*t3SI& 101 *;^fflf->?^#)tj*.<a:*taiJ'^-*^r^^^^ Kp ^ 

Ksfi^^^Q-J^h-I^E 241. a.4fe«f5tJW.^^^^«^>«S<^^^Ji^ 

:^^Ji^^^4f^^m Kcodc ( EKcodJA] ) ^0.^ A *»^, ^^^^^-fiSl 
*JM^^i£S 101 ( EKp(Kcode]) ^'^if-^M Kp 60*'^:5r^i?t'ff*»^60 
^^^^^ Kcode ^fjia^tig^ 101. ^*t^ll 101 A—^^^^^^ 

fi^**^^;^ ( ^iai±>t-Mpt«f^«.). J*^. -jat^has 101 
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jB.itMrm.^i'^K, (i^^^^^y 112, <st*ti£s 101 M^m.fts.m^ 
101 ^^^x^^^ 281 T^A^A-Mm:^n^¥L^^is^^^¥im.^. 

iTAtig^-^ 131 6*JiTinr4;fc'^/)^*#-:^:- 254 #4&"^4itt«r^>^t 
>f^7«r JlTi:^4^>^-i.'^^l*^ 281. 

^«:*tia^ 101 4fc#«^:5l:4S4^Bt, ^S4-^*-/J^^#.iG 214 
LI :it4-^iti^>if 213 ^ft-Ai^>^^|fcS ( ) ^«W6^ifciti«*rt 

^. >^*l;tJfciU:Ji60f^^*^ii^#» «^ LI 213 

215, ^4^41 215 T>2t 

>t 216. jaj&^*tifc^*. g#^^e^4^#JL^^'&^n6^4ft.#^^ 
IH", 217. ^^#9 <*A«:*tffi^ 101 

253; S4*.#B#^-i|-^*»8t, ^4-#.#^A#-iG217#4ft.#^*.^>^ 

LI |gt:feJ&iti^# 218. 

LI 218 ^J*3^>^b-g^^^a#-;?t 112 6t4^*JT* L2 

^itm.^ 152 ^fc-J^ili^^, #;&^A.i>f|^§ 281. it J.^^ T 
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101 fy^j^^n^mii^'R^TAlk^, «:»TLB^*.3f4t-t6^<» 

Hf^yt^i^^y X#1f^i*fl&*#i^^**J3f;|.S.H'S 234. 
#4^-^|&Jl6^l^>^}^;^iitIS^JIt« TLB 141. 

#'«P^K4Li*ilsJ0^4- TLB 121. :^^«L#&J^.^&•ii^^^Af#iifc#Ail:# 

^. 112 >W.^^# 281 il L2 152 

LI 213, LI 4&4-i^ 

jfcAt#4^^. *.Ji^i^, >^E.^It TLB 141 St^it^H-^. 
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i^^^^^^Hfin^^b^ 32 ^15r, 64 # ( SJ* 8 >^^15r ). 

@ 7A >^tit:-ff^^tr, 4 >h^11^&A, Bib, ^ A * 

AO J. A3 65w>^^1r|aA. A £ H «^ 8 >h^&A. MitAei 

^A'f- 64 '^Jfeic'hfi^ 8 ^^i^^^it^HX^l^, *»S 7B # 
A0> BO HO^#fJXt^-f ^ 0^^ 1 6^^— #A1, Bl, 

(-fiR!**: CBC ( ^^*^#) 

^^303^^%^vi 307-j. 3J^n 307- j '^^^^^H^^t' ID 307-j- 
k. ifa;^^^A 309 l^*L*jlfc ID ^^«1^«i-ifc1fi!t#lfi^65^4«>^i» 

309- m. m^^^B^^^^^^M^'n-nr 30s ^^^^Ml 309 

-^^^4, ii#^7 Tf^^4- TLB121 Xi^^f^^^^^m> 
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dii»T^^ittf^Jfc#?f^^^4«4^^4'J!-#^i^4- TLB 121. 
^i^H^^n^^^M^'^^^^^^oe. 307 ^ 311 i^tH5'J]54L2^Jt^ 
230, ^jS4L309^Af«J^e>^JlfJt^^4.^J+^ 231. 

>^t-?5-^f!li^#^*^4Jt^t, ^^^^Jk 309 6^->hiC^6^^49 
JtlL 309-in &.'^i^^%3i^^^A.A.^^^f^i^^^^. ^^^^^^^ 
^'kn^H^m^^^^^^n 231 fi^:|^^t» 
ja.ibi^^)t^-^#*t^&5»j5f4.^JtS 230 «^3fjL*:. ^A^4fc#^«f^ 

101«pi-6^i^^3t4« Ks 9^. -ta^ifj^^^/wofi^-et^, 

309-m ^^n^^^>^t>i^^$L 309-iii-4, ^Ifc 309-m-4 ^ 

>^E.?^4«5st|LE^ 310 t. «t'feW«:*t«5& 101 ^^ig^4« Kp 
^t^^**'^*^ E^,IKcodelfi^^i^#^^4f-«%^^ Kcode. T i5t 

#6^^A>b;!^dlfe^l&6^-Ig:>g:-^. Ks ^ Kp ffi^^TSL%^ 1024 

#Kcodc6^^;S.«:5L5& 64^^. it5t4^T«#'&rJL5ll 256 ^, 

i^^^ E[Kcode];»o$^ 1024 ^#^#$J$^^I^& 310. S Kcode 

:ir*it#«*-^JL«it:r;«fei'X 1024#.>Jl^^'&N-, :a#'fefcr^5&i^>h^i8'l 

:;|.1024'^*.'hfi^J*:. i^J^^^. 

S 8 A»'X>R.>»^«f^:^^*t^-K.«!l3«^4t43fc. m^i^^n 501 

.jfeiE^ifcaL^jaj 502 Xf^iio^M^ 502 fi^Jfc*t "Addr", 

TLB 121 fi^JC^ 307, #il#Ai!.*L "Addr' » #^i(yifeS3*. 

At "Addr-. iSlBt, ^^'^^PC^'^l^^^^^ ElKcode]^^4a^ 309 tJP«^ 

A. mM$. CPU rt^i-etfi^i^^i^^ Ks, jiF^^frtfe* 506 ^'^^nm 
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^, i^j^^'^^^M^MMm^^^^^^^ 507. ^^n^nn 

JH^^m.^ 101 «^''>^^4« Kp#^f-'f^^*»^«^4S*^4« Kcodejd" 
^, #^^'1^ Kcode im^ii^m.^'-^^^ySt^^^^ Kcode, Sifc^f^ 
it^^^m 101 6?r^^^4« Ksfi^^/'3st;F^^*»ii:Kcode. 

^^^^^J^ 511 j(»'^>i-K^ 512 «^JL^»|4fra#^*l& 510, 
»i;a*4«4.^45^»508j^CR3f^4|-|&S09;*:#^'&'iri«*J4.*t. #.#45^ 

511 i^li^>N3i:4L 512, iilt^.^*^tT#.7t 112, 
^ii.^>?l^f»1^4- TLB 121. 

iiit^^^^tiJ^it 112#JttJ^f-*J«^4-TLB 121 #4fe«^«ra* 
At "Addr*- fi^rtJg- 503 -^Aut, ^TJJt^^^'f^^ 
/SF^^*^* 212 #rtig: 503 i^^, 

:^^^ia^m-^i^t:^i^^i'JL^^^^^^^'^^^ 2000 - 35898 -f- 
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^Jfc^4fe*it. LUt^^il^-l?- 218 »t, *Jat#if«J 

m^4-TW 241 l*3 6^#it^4« 241 ^^^«^^#-iG 232 

«ifc, W^;f:T«fe*»i£llt#J^i»»^^^ Kcode 6*^^^, 
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^ Pentium Pro '*^i##*ti£it^fi^-hT:*:'fl:4«:^ 
#:f>^nLf- Pentium Pro #JLii'r^#T»5^>&^ I'^rfT^b^S 

i*.#60iti^6*-tTit##f3>er^^#» 72S ibilt«.^«^ TSS E. 

^Jt^^'^, A^zk^i^^^^^y^nk^^^ (^M^i^^ ^^^^^ 

26 

PAGE 34/1 01 * RCVD AT 5/24/2007 1 :38: 17 AM [Eastern Daylight Time] * 8VR:U8PTO-EFXRF-5/3 * DN18:2738300 * C8ID:(6ei) 400-1 980 * DURATION (mm-ss):00-24 



5/23/2007 11:38 PM FROM: (661) 460-1986 Huffman Patent Group, LLC TO: 1-571-273-8300 PAGE: 035 OF 101 



Hfffi^ iDTXa^tffJ TSS, jl'jib*.6^a>^*lt#4^^^;^'^, #ilL#;5(r-t 
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^jk^^t^^^^^^^^^^f^f'^^^ 802 J. 825, m^^^ 

«:3L^9I TSS 826. 

^^iS^fi^ TSS^^«:>^. 5|»'ft.^TSSitip?^«*tfr«.T, ib£Jil.49 

J. CY3 ) 827 ^ 830, "T^^'hi^^ 831. 

i|.J&. EKcd,[Krl 832. mm^m^^^M^^^ ILcoAe ^ 

*t^^4«^*#*«-f >#-tTi:64^^ Kr*»l^; *:<iL EKp[Krl 833, 

SK,lmessagel 834. ;^'&-in'tt.«*l«0«O^^^4a Ks. jfc^, ^ 

.^t-^^^Liaj^^^ffi^^-fi^rKi^SOl 

S 4 ^i^fi^^f-^iS-^-^G 131 1^ JiTit>fr4*ti^/*F-^#-X, 254 ^ 

#lt*&fi^ii»^it^fi^^*1^. TSS i^^>i5-JiTi:>ft4»^-. Bpi^^m* 
^MM^^^J^ TSS -|^i8t«.^T-^ip^, 'ia.ATiSt^^**^**^^ 

.j5L;&.»^JLTaiit^t. ^^J.^:^^^i^^^ TSS 826 
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:^^miitm^i^y^-Jf-^^ Kp Kcode t.^^^ 

it^ij^ Kcode j^^ EKeode[Kr]Tv:m#JiTit*»^^^ Kr. jfc^. ii. 
^^]m^m^^m^ Ksltf^ EKptKrl, ^*hai& 101 TiS^^^-tTit 

M^^^ Kr. 4j^^-^^. iii>^^^]irie.ir^i&A/'^iihi£s&6^^iit^ 

iNffl S^iriifc^*^ KsilFi^-tTiHt4rTiat:*r>&^*.#. ^A^^^^ 

101 ^^^^^ Ks 6^^/:?^ Ttfe^ EKcode[KrJ^ EKp[Kr]-0&5tJiT:fc# 
J^^^J^ Sic[message]. 

1^, #Jl^*IM Kcode A^it JiTit#4*^^*. 

4t&*»^>ll'»*t^fi^^t^^.T, ^-^E.ei*.i5ii:^i-^#>«%;*ii^^-|« Kcode 

^^^^^^yUL^^^^^^^^f^^^, Sit. 3g.it i5t It «i^>^ifc 

SL^^^TfL. i&jfc. >^L#^jtlf:>j|-JiTitiH-, :f ir^«-¥-it 131 rtfi^BC 
*l.4aJt^«.3L 252 /^^Jt^UiSt Kr, ##'eil5l|-fcTit'fr4*'^/itf ^ 
^;Jg 254. itit-et^Jtin.^ Kr i^i^^i^4a^*. JiTi.'ft&*»§/^ 
^#-iG 254#JiT3t;&p^. j?fcJ&, BJ-;&p^'£l. EKcodJKrJ 832, 
¥i^Mik.n^^^ Kcode 6^^^^^#^T)':4##fc<fi. EK^e[KrJ 832 
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^fi-tl^ik. Krit:4f*»^"5r«^#^-ijt EKp[KrJ 833. 

5^^;& 834 fi^;*^^iti&TJ5t#.|l&'e-^^#*#»^^^t4ii#, -RJI-alA 
^>fr: 'fil.*^*haUTiSt^5e.;*»»^«:*UfcEk.^JKr] 832*5*F^it^^ 
834 Hflf^it^Vf^. j^jna^ifif, 7^ntAm.m 101 -^-ft^^ 

^l*^ E,„^,[Kr] 832 6^)^^it^^i^^>€ 834 6^/*^ iit^, i3.A^St^^ 
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TSS i^iL'h^^^^^^iyf^^^it^^i^i^^. B3j*T i5l^^3*.^# 

^it^xxr OS x^^^^m^^i^ tss 

4, ^Jfc, ^'J^*ha$6^#^i^-j^ Ks. r^f-Ata^-it 131 
J^#-iG 257 SK^[message] 834, 

#«ftit^^iaif«I:fr'Jr^«#">t 255. ^^SH^ftH, ^i^»im,^7L 255 

^^^^.^^^^^^-i^^Oii^lSt^iaa 101 ^JLiMt^Jt. 

^J^iit^^j^^Bt, ilitif-J^^it^^ Ksj^i^-hTit^4g EKplKrl 
833, JiTi:^4>'t/Jlf^-^;?c 254 l^#Rfe*u|t Kr. iL^L. )K^JIl^ 
H'S 230 l^#Ljlj}»i-;^i-^;f.it^^ ( EIP) 809 ifl^n^^^ Kcode. 
##'&ii.f>l U^^^^^^^^TQ, 251. JiTit'fr4*'^/)^^#->C. 254 
*lM*teJ^)lf3t^Ha Kcode # EK.«,JKrllfit, :?f-#^*ii.^J4ft.#^ 
^4B^^;&«rtit^>t 257. 257 
£K«Hi«(Kr] 832 i^i^$Sm^^^^tl!i^m.%mni^^^^ Ks «^lf$M 

Kcode ^ ^^^^ ^ 6t . 

m,it^^^^H^^^ Kcode »*'$«JLTit^^. ^.T^^StA 
^ Kcode )«t^^-f ^'i^JiTiL^^fi^^^lSt*!.^ Kr St^im^^^it 
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Tss *ba:^^'l*5'j>«l^#t«rj^9ifca:*^^'il-». OS V« 

f<J^>?^^iL>H^ 253 -^^#>«^^^44^;Si^#-iC. 257 5lt#64ll:i£*tS 
^^J^Jfi^^^tfe-li, ^ Onodcra ^/wfi^^ 2980576 -f « t«.^T 

SA., ^;Fir#-^>^4S'gi^*^i^4tJ:-Ti:^t464^:*^:f 
#i5^^'m^K*-tTi:'fr4*^J^^*^>^64*i.*164^^T. T>':*^'J/a*t 
iS^64^^^l«#>^^^i^#i?-^#^^4«^lr464'ft4J:-Sb*'^. ^ 



PAGE 40/101 * RCVD AT 5/24/2007 1:38:17 AM [Eastern Daylight Time] ' 8VR:U8PTO-EFXRF-9/3 * DN)8:2738300 * C8ID:(0d1) 460-1980 



* DURATION (mm-ss):d0-24 



5/23/2007 11:38 PM FROM: (661) 460-1986 Huffman Patent Group, LLC TO: l>571<'273-8300 PAGE: 041 OF 101 



It® 10 t» "R" ^ 825- 1 JiTilA^ -r^^^^^^fi^^:. 

-U" 825 - 2 TSS il^^ TSS TSS 

§ib>^it«:3:5?f "O" Bt, JM^fit-il-*^ TSS 4.^^. TSS. iHjMA>ik^^ 
^M.yh M» iH". JH^^-^-ifd^ TSS JtMr TSS. itit^-t^^-J^^LiSt 

ib^^^TSS. 

^tfe TSS TSS TSS J^. ^^^IT^. 

4f^J^¥l TSS ^#Jfc«:«^>fr^^*||jt:^4*.Jtilt. TSS 6^&iL 

itiiLt, «^^^J^*t^*^«.X6^ TSS fi^ittr-^^E^ 801 
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^4- TLB 121 ^^J,nx>\MM^n^A^^^^ i^^^M^). 

( ^it) 64*t#t, EFLAGS ##Si^fi^^#^ 

CYC i CY3. 'fe-irjxi-^i^ffi 9 ^^fi^EAll 717 
J. 720. >^L® 9 t. ^-il-S CYO M. CY2 i^*»1f*t;g^<^, J^^A4P# 
^ CY3 6^M15^. 

5?.>^E.« CY3 717 ^m^^iJ^^J^'^^ifi^Tt^.^^i^^ 717 

-1 l^«.^4t'!«#;&o^&J*lS^<K>iS.#J*.*t^'^. v^L^L^hE^ 717-4 
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^l^m.^'ELm^. CYO iJ& CYl J. CY3 ^ 

ii^^^it.^^^, ^*», ^ CYC CYi *l^6^E^:t:Ji»t, 

^-S,iSL 717- 4 ^-f i^#A>(eL*»^4fc;^Ti£4L*^it4fc^Tilt#« 

^: ifa^M,'}i-^^%^$t»^¥Mi^^^^) fl^rt^ CYO J. CY3 
m4m^<^^^^^^2S3^M4l-^»TUB 141 l^^JLA^^Ifr^'^:^ 
236. 

4- 236 (I^^B 4), TLB 141 ^JiPliC^ifcit «Addr- 
CY0^CY3 6^l£®rt. mit^JiPl. 4ai|&TLB141 
4'4^.fS^^;^i^^&^d*: 212. .^t#Xi-^6^^i|.m'?5-4f>W. LI 
218 ^^^^^^fiJ^^SHt^J ffl ^^^^^^ 

*^*.1t«.T, #Afc*t*^J^'^i^'tt. TLB 141 

H^^-lfcl&ilf ^^frilfe* 219, J^^^^^^m^^^l^J^^t LI it»S&ii 
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^^#^60 LI 4t4-^il.i^^ 213 J^i4^##;te# 
Sif«J^^>»^Jjf^^&ai*L 212 LI 

CYC M. CY3 64 l^^4'-?|-^it'fr 253 ^Jbi«JiLlfe TLB 141 *^ 
^^^Lf-iffi^fr^Jfe 233. J*.^, aHllt4^xi-^i^^tr^4f^4-«^^ 

233, 
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233 >^4^#:-i|-#S. 
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JL^ (2) jlii#-#f'Ataiti^, ffj^^^MM^^^^^^]^ 
m 11 -^^^^^.ty n^4-^^^^^^^^- ^^mn loi 

. i^^4f^i^ ^^^l^t^^^^ 131 6^ ^ M^^^^ ^^^^ 251 

ff60lX ^^i!r«J^ig^^t<i.i«L^^4fcJH- (#J»601 NO), 
*t«E-*i[t^«L<fi.4l^^'ffc«^ n 9fiKni^^4-A^^^^ n ( "egatc- ) 
602). d^JHAXan^-^, ^4L^'&AiE.^IS4', aAT 

*602 ti^f YES) 8t, tfc^#jfc^4^. 

;fe>SL. ^^•J*I«^W4-^;4>^C'n^4^ (irJ» 602 ti(^ NO) Ut. 

SA, ^^J*J«^4-^(r^K#**4S4- 603 ti5r NO) Bt, :a 
jL-^ii#^t*ta, .«jir^JJPl:g[^4-i&^*^^4^ (#J»603 t:Hr YES) 

CY3 t6^ 717 J. 720 l^6^^4«EJ* ( CY3 f»3 6^E^717- 5). 
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^-a^ (CY3 717-3) «LjL^4^^a. 

^i^>^ilt^f^Si±^. ia5t^*l« Simula: 

lilt, -^ff:>i!FJiT3L6^^t'2Jt.;fa^, 
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^^;^J^^h6^iaij^ 1121 #i^^J^^i^ "cgate- ( H ) #4-^-, 
#:4^jaLi^fi^'f^^ 1101 ii-it^fc^ -egate- ^4-, /it^ir^^ 

MX- ^4-(*t«5t^ll22), #^^H#^Ji«:^i«.i^fi4##«#-xxx- 
1111. i^;&4*.e^1"ifcAt «ppp- 1112 6^ "call yyy" ( *tait^ 
1123). ^NriSmsStifcit «ppp- 1112 ^^^It;^^'!*^ 1102, ##it^N# 
-yyy' 1113, 9#*t«^^«*l^A#ift.# "ref 

^4^Bt. #ife*03^#5>Ji^*^ilerJfcAL «ppp- 1112. :^^J^s^^n^m 

^Ja^6^ifc4f>«^ 1201 1202 ^tSlXM^^^^' ^ 

^h. ^-^^f-J^^lfi^^^^^^^lt^^/fl/ TSS KJ^ 1203^E^ 1204, 
1221 ^4f -egate" ^t4^»t^i&#L^. .^t^^ ^^P:^^'*^ 

^^m^m^^^Mr TSS B^ai 1203 t^sib&^'^^^^i^^ 

Ki* 1204. iiitlfcff -ccair "ccall' 
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Tss Ji^sj. Tss^iBifl^iiiS'j-jSE.'f, m 10 fft^¥tmr^^n 

t, # U#^'&M TSS Ji«^a*H. 825 - 2. J&a»#-8L^*#^d?«^ 

^3#4^J^;Ft&it^^^. "param" 1204 

^fi^^-Wt. -qqq" 1213 ( 1225). ii.5tfi:jL« 

ii^-f^^^l "qqq' fl^^.«ig^5L, *)di«»>^L "exx" 4 "qqq" 

(51. aait>?|-^^Jt-6^;|L|tSJ^ 1204 4^^S^^^f!l"9IM» ( ^Sit^ 

1226).' ^A^«^*^*iSJ±^oJ^. ^T#4fe#4i6-ig?^«J5^4rMt. & 
ib "sret" ^4- ( *t«:i±i^ 1227). 

■^J8:i^rife#^fi^ "ret- "sref 

TSS6^*lt#iL. .^tifc, S^it^m^$^lSL^ -parain- 1204 
4I-, T»5ll3|-iMt^^.r TSS 1203*t^5&&l.'fr4. "sret- 

m r TSS TSS ¥f^X^m^i^±^M.»)^f; ff^4s.¥L 

f TSS ^^^^A^^^^yf^^^^i^^. f^r TSS 6^>fr^it-^4^ 

%^ "sref ^4^6^^#ia:t*^^^*t^S.i& "0" ^ U 
#^'fi^#.^TSS8t, ^5.#^Jtt:. 

^^fi^. AA*t**»^##.#te.^^^ TSS. "^^m^^^-^^^^ 
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TAMPER RESISTANT NflCROPROCESSOR 

BACKGROUND OF THE INVENTION 

1. I'leld of tile Invention 

Tilc present invention iclatcs to a microprocessor that can 
pievenl illegal allemaliun orexeculion cades anil processing 
target data under a mvili-task program execution environ- 
ment. 

2. Description of the Background Art 

In recent years, the performance of a microprxiccssor has 
improved considerably such that the microprocessor is 
capable of realizing reproduction and editing of video 
images and audio sounds, in addition to ttie conventional 
functions such as computations and graphicji. Ily imple- 
menting such a micrn|9rooessor in a system designed for 
cnd-uAcr (which will be referred to as PCI! heicafier), the 
users can enjoy various video images and audio sounds on 
monitors. Also, by combing the ftinction for reproducing 
video imagps and audio sounds with the computational 
power of the PC, the applicability to games or the like can 
be improved. Such a microprocessor is not designed for any 
specific hardware and can be implemented in a variety of 
hardwares so that there is an advantage that the users who 
already possess PCs can enjoy reproduction and editing of 
video images and audio sounds ine9q)cnsively by simply 
changing a microprocessor for cxecutmg programs. 

In the case of handling video images and audio sounds on 
PCs, there arises a problem of a protection of the oopyrighl 
of original images or music. In the MD or digital video 
playback devices, unlimited copies can be prevented by 
implementing a mechanism for preventing the illegal copy* 
ing in these devices in advance. It is rather rare to attempt 
the illegal copying by disassembling and alleiing these 
devices, and even if such devices are made, there is a 
worldwide trend for prohibiting the manufacturing and sales 
of devices filtered for the purpose of illegal copying by laws. 
(vf>nsequently, damages due to the hardware based illegal 
copying arc not very serious. 

However, image data and music data are actually pro- 
cessed on the PC by the software rather than the hardware, 
and the end-user can freely alter the software on the PC. 
Namely, if the user has some level of knowledge, it is quite 
feasible to carry out the illegal copying by analyzing pro- 
grams and rewriting the executable software. In addition, 
there is a problem that the software for illegal copying so 
produced can be spread vcr>' quickly through media such as 
networks, unlike the hardware. 

In order to resolve these problems, conventionally a PC 
software to be used for reproducing copyright protected 
contents such as commercial films or music has employed a 
technique for preventing analysis and alternation by encrypt- 
ing the soi'lware. This lechmcjue is known hs a tamper 
resistant software (sec David Aucsmitb ct al., **Tamper 
Resistant Software: An Implementation^, Proceedings of the 
1996 Intel Software Developer's Conference). 

The tamper resistant software tcchuiquc is also effective 
in prevendng illegal c(.)pyingof valuiible inlbrmalion includ- 
ing not only video and audio data btil also text and know- 
how that is to be provided to a user through the PC, and 
piolecling know-how contained in (he PC software itself 
from analysis. 

However, the tamper resistant software technique is a 
technique which makes analysis using tools such as deas- 
sembler or debugger diHicult by encrypting a portion of the 
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program that requires protection before the execution of the 
program starts, decrypting that portion immediately before 
executing that portion and encrypting that portion again 
immediately after the execution of that portion is completed. 

5 Conse(|iiently, as along as the program is executable by a 
processor, it is always possible to analyze the program by 
carrying out tlie analysis step by step starting from the start 
of the program. 

'fhis fact has been an obstacle for a co|Tyright owner to 

„j pn:>vtde copyright protected contents to a system for repro- 
ducing video and audio data using the PC. 

The olher tamper resislanl software applications are also 
vulnerable in this regard, and this fact has been an obstacle 
to a sophisticated infonnation server through the PC and an 
ai^>licaiion of a program containing Icnow-how of an enter- 
prise or individual to the W'. 

These are problems that equally apply to the software 
protection in general, but in addition, the PC is an open 
plalform so lhai (here is also a problem of an attack by 
altering the operating system (OS) which is intended to be 
a basLs of the system's software conilgu ration. Namely, a 
skilled and malicious u.<;er can alter the OS of his own PC to 
invalidate or analyze tbe copyright protection mechanisms 
incorporated in application programs by utilizing privileges 
given to the OS. 

The current OS realizes the management of resources 
under the control of (he cx)mputer and the arbitration of their 
uses by utilizing a privileged operation function with respect 
to a memory and an execution control function provided in 
CPU. Targels of the management include the conventional 
targets such as devices, CPU and memory rest.nirces, as well 
as QoS (Quality of Service) at network or application level. 
Nevertheless, tbe basics of the resource management are still 
allocations of resources necessary for the execution of a 

35 pfogram. Namely, an allocation of a CPU time to the 
execution of that program and an allocation of a memory 
si>a£e necessary for the execution are the besics of the 
resource managenoent. 'llie cuntrul of the other devices, 
network and application OoS is reali;^ by controlling the 

4,^ execution of a program that makes accesses to these 
resources (by allocating a CPU time and a memory space). 

The OS has privileges for carr>'ing out the CPU lime 
allocation and the memory space allocation. Namely, the OS 
has a privilege for interrupting and reslarling an application 

45 program at arbitrary liming and a privdlege lo move a cunteni 
of a memory ^ace allixrated to an application program to a 
memory of a dilTerenl hierarchical level at attntrary liming* 
in order lo carry out tbe CPU lime allucalion. The latter 
privilege is also used for the puri>ose of providing a flat 

51) memory space lu the application by concealing (normally) 
hierarchical memory systems with different access speeds 
and capacities from the application. 

Using these two privileges, the OS can interrupt an 
execution state of the application ai3(l lake a snap shot of it 

55 at arbitrary liming, and resliirl i( after making a copy of il or 
rewriting il. This func(ion can also be used as a tool for 
analyzing secrets hidden in the application. 

Tn order to prevent an analysis of the application on a 
computer, there arc several known techniques for encrypting 

60 programs or data (Rampson, U.S. Pat. No. 4.847,902; 
Hartman, U.S. Pal. No. 5,224,166; Davis, U.S. Pat. No. 
5,806,706; Takahashi ct al.. U.S. Pat. No. 5,825,878; Buer et 
h1., U.S. Pal. No. 6,003,117; Japanese Patent Application 
Laid Open No. U-282667 (1999), for example). However, 

05 these known techniques do not account for the protection of 
the program operation and the data secrecy from tbe above 
described privileged operations of the OS. 
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The coDvenliuDiil lechnique baseil on ihe x86 archiledure 
of iDtcl Corporafion (llartman, U.S. Pat. No. 5»224466) is 
a lechni(|ue Tor storing Ibe execulion codes ami dula by 
encrypting Iheni by using a prescribed enCTvplioD key Kx. 
Ibc cncf>'ptiou key Kx Is given in «i form of lij^X^] which 
is encrypted by using a public key Kp corresponding to a 
secret key Ks embedded in a processor. Consequently, only 
flie processor that koow's Ks can decrypt the encrypted 
execution codes on a memory. The encryption key Kx ir 
stored in a register inside the prooessor called a segment 
register. 

Using this mechanism, it is possible to protect the secrecy 
of the program codes from the user to some extent by 
encryiiting tlie codes. Also, it becomes cryptograph ica II y 
difficult for a person who docs not know Ibo encryption key 
Kx of the codes to alter the codes according to his intention 
or Dcwly produce codes that arc executable when decrypted 
by using the encryption key Kx. 

However, the system employing this lechnitjue has a 
drawback in ihal the analysis o£ Ibe program becomes 
possible by utilizing a privilege of the OS called a context, 
switching, without decrypting the encrypted execution 
codes. 

More speciiically, when the execution of the program is 
stopped by the interruptioo or when the program voluntarily 
calls up a soUwane interruption command due to the system 
call up, the OS carries out the context switching for Ihe 
purpose of the execution of the other program. Itie context 
switching is an operation to store an execution slate (which 
will be referred to as a context information hereafter) of the 
program Indicating a set of register values at that point into 
a memory, and restoring the context information of another 
program stored in the memory in advance into the registers. 

FIG. 15 shows the conventioual context storing fbrnut 
used in the x86 prrtcessor. All the contents of the registers 
used by the application are contained here. The context 
informalion of the inlerrupteil program is restored into Ihe 
registers when the program is restarted. 'Ilie context switch- 
ing is an indispensable function in order to operate a 
lilurality of programs in parallel. In the conventional 
technique, the OS can read the register values at a time of the 
context switching, so that it is possible to guess most of the 
operations made by the programs If not all, according to how 
the execution state of that program has changed. 

lo addition, by controiliiig a timing at which the exception 
occurs by setting of a timer or the like, it is possilile to carry 
out this processing at arbitrary execution point of the pro- 
gram. Apart from the interruption of the execution and the 
analysis, it is also possible to rewrite the register information 
by malicious intention. The rewriting of the registers can not 
only change die operation of the program but also make the 
program analysis easier. The OS can store arbitrary state of 
the appHcation so that it is possible to analyze the operation 
of the program by rewriting the register values and operating 
the program repeatedly. In addition to the above described 
ftmctions, the processor has a debugging support function 
such as a stepwise execution, and there has been a problem 
that the OS can analyze the application by utihzing all these 
functions. 

As far as data are conceme<1, U.S. Pal. No. 5,224,166 
asserts that the program can access the encrypted data only 
by the program execution using the encrypted code segment. 
Here, there is a problem thai the encrypted data can be freely 
read by the encrypted program by using arbitrary key, 
regardless of the encryption key by which the program is 
encrypted, even when there are programs encrypted by using 
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mutually dillerent encr>'ption keys. This conventional tech- 
nique docs not account for the case where the OS and the 
application have their own secrets independently and the 
secret of Ihe application is lo be protected from the OS or a 
5 plurality of program providers have their own secrets sepa- 
rately. 

Of aiurse, it isixxssible to separate menx)ry spaces among 
the applications and to pmhiblt accesses to a system memory 
by the applications by the protection fiiiK:tion provided in 

^'^ the virtual memory mechanism even in the existing proces- 
sor. However, as long as the virtual memory mechanism is 
under the management of the 0$, the protecdon of the secret 
of the application cannot rely on the fimction tmdcr the 
management of tlie OS. This is because the OS can access 
data by ignoring the protection mechanism, and this prixi- 
Icgc is indispensable in providing the virtual memory func- 
tion as described above. 

As another conventional technique, Japanese Patent 
Application Laid Open No. 11-282667 (1999) discloses a 
technique of a secret memory provided inside the CPU in 
order lo store the secret inlomiation of Ihe application. In 
this technique, a- prescribed reference value is required in 
order to access data in the secret memory'. However, Ibis 
reference falls to disclose how to protect the reference value 
for obtaining the access right with respect to the secret data 
Irum a plurality of prugrams operating in Ihe same CPU, 
esfjecially the OS. 

Also, in U.S. Pat. No. .5,123,045, Ostrovsky et al. disclose 
a system that presupposes the use of sub-processors having 
unique secret keys coixcspondiog lo the applications, in 
which tlic operation of the program cannot be guessed fmm 
the access pattern by which these sub-processors are access- 
ing programs placed on a main mcmor>'. This is based on a 
mechanism for carrying out random memory accesses by 
converting the instruction system for carrying out operations 
with respect to the memory into another mstiuction system 
diETcrcnt Ixum that. 

However, this technique requires different sub-processors 
for different applications so that it requires a high cost, and 
the impkmciuation and fast rcalizatk>n of the compiler and 
processor hardware for proccssiag such instruction system 
arc expected to be very difficult as they arc quite diffi&rent 
from those of the currently used processors. Besides that, in 

45 this type of processor, it becomes difficult to comprehend 
correspondences among the data contents and the operations 
even when the data and the opcratx>ns of the actually 
operated codes are observed and traced so that the debug- 
ging of the program becomes very dilGculi, and therefore 
this technique has many practical problems, compared with 
the other conventional techniques described above in which 
Ihe program codes and Ihe data are simply encrypted, such 
as those of U.S. Pat No. 5,224,166 and Japanese Palenl 
Applicatk>n Laid Open No. 11-282667. 

SUMMARY OF IHli INVEN TION 

Therefore the liisl object of the present invention is lo 
provide a microprocessor capable of surely protecting hoih 
the internally executed algorithm and the data stale inside a 
60 memory region from illegal analysis in the mulli-Lask envi- 
ronment even when the execiUion is stopped by the inter- 
ruption. 

This lirst objeci is motivated by Ihe fact ihat the conven- 
tional techniques are capable of proleciing values ol the 
65 program codes but arc incapable of preventing the analysis 
utilizing ihe inter mpik>n of Che program execution by the 
exception occurrence or the debugging function. Thus the 
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presenl invention aims al prtwiding a micruproctissor In the case ai'inlenrupling Ihe execution of jsome program 

capable of surely pxoiccting ibc codes even at a lime of the among the plurality of programs, a context information 

program execiilion iDtemiplioD» in which this pmleclion is encrypiion/decryplion unit thai provides an execution stale 

compatible with both the execution conirol funciion and (he writing function encrypts information indicating a slate of 
memory management fimctiou required by the current OS. 5 execution up to an interrupted point of tlic program to be 

The second object of the present invention is (o provide a inlerrupled and the code encryption key of this program, by 

microprocessor in wliich each program can secure a cor- using an encryption key unique w the microprocessor, and 

rectly readable/writable data region independently even writes the encrypted information as o context infiDrmatlon 

when a pluraUty of programs encrypled by using diflerenl '"^o * memory external of the microprocessor 
encryiuion keys are to lie executed. H) In the case of restarting the interrupted program, a vcri- 

'Ihis second object is molivaled by the fact that the fication unit that provides a resurting function decrypts the 

coDvenlional technique of U.S. Pat. No. 5^24,166 only encrypted context information by usii^ a unique decryption 

provides a simple protection in which accesses to the key concsponding to the unique encryption key of the 

encrypted data region by non-encrypled codes are microprocessor, and restarts the execution of the program 

prx)hil>ited, and it has been impossible for a plurality of only when the code encryption key contained in the 

programs to protect their own secrets independently. Ilius decrypted context iafonnatioa (that is the code encryption 

the present inventinn also alms at providing a niicroproces- key of the program scheduled to be restarted) coincides with 

snr which has a data region for pnitecting secret of each the original code encryption key of the intcnruptcd program, 
applkation from the OS when a plurality of applications ^ In addition, in onler to achieve the second and thini 
have their respective (encrypted) secrets. ^ objects, the microprocessor also has a memory region (a 

1he third object of the present invention Is to provide a register, Ibr example) inside the processor that cannot be 

m icroprocessor capable of protecting the piotected attributes lead out lo Ihe external, and an encrypted attribute writing 

(i.e., encryx)ted attril^uted) of the above descrilied data region unit (an insiniction TLB, for example) for writing encrypted 

fA^m illegal rewriting by the OS. attributes ibr Ibe processing target data of the program into 

this third object is motivated by the fact that the con- the internal memofy. 'Ihe encryi>ted attributes inchide the 

veotk>nal technique of U.S. Fat. No. .5.224,166 has a draw- *^oL]t encryption key of the program and an encryption laigel 

back in that the OS can rewrite the encrypted attrilmtes set address range, for example). At least a part of these 

in the segment register hy interrupting the execution of the encryjited atirilxitcs is contained in the aintext information, 

program using the context switching. Once the program is Hie coDlexi inibnnaiioD encTypdon/decryption unit also 

put in a state where data arc written in a form of plaintext by attaches a signature based on a secret infbrmation unique to 

rewriting the encrypted attrtbutcj;, dau will not written into the microprocessor to the context information. In diis case, 

a memory without encryption. L^ven if the application the verification unit judges whether the signature contained 

checks the segment register vahic at some timing, the result in the decrypted context information coiix;ides with the 

is the same if the register value is rewritten after that. Thus origioal siga<iture based on the secret information unique to 
the pFCSOit invention also aims at providing a microproccs- ' the microprocessor or not, and restarts the interrupted pm- 

sor provided with a mechanism which is capable of prohib- gram only when ttiey coincide. 

iting such an alteration or dulecting such an alteration and in ihis way, Ihe stale of execution up lo an interrupted 

takiDg appropriate measure agamst such on alteration. i>oint of the encrypted program is stored in the external 

'Ihe fourth object of the present Inventinn is to provide a memory as tlie context information, while the protected 

microprocessor capable of protecting the encrypted attributes of tlie execution processing target data are stored 

attributes from Uic so called chosen-plaintext attack of the in tlic register inskle the processor, so that the illegal 

cryptoanalysis theory, in which the program can use arbi- aheration of the data can be prevented, 

trary vahie as the data encryption key, in order to achieve the fourth object, tlie second af^ct of 

The Gflh object of the presenl invention is lo provide a 45 the present invention has the following features. 'Ilie micro- 

ni icroprocessor pmvkled with a mechanism for the program processor that is formed as a single chip or a single package 

debugging and feedback. Namely, the presenl invention maintains a unique secret key therein that cannot be read out 

aims al prt>viding a microprocessor in which Ihe debugging to the external. ITie 1ms interface unit that provides a reading 

of the program is carried out in plaintext and the feedback function reads the code encryption key that is encrypted by 

of inlbimalion on defects is provided lo a program code usingauniquepublickey of the mk:n)pnx:essorcnrrespond- 

jjrovider (program vendor) in the case of the execution iog to the secret key in advance from a memory external of 

failure. the microprocessor. A key decryption unit that provides a 

The sixth object of the present invention is to provide a first dccr>'ption function dccr^'pts the read out code cncryp* 

microprocessor capable of achieving the lirsi 10 lif ih objects tion key by using the secret key of the microprocessor. The 
described above in a form that realizes both a low uost and 55 bus interface tmit also reads out a plurality of programs 

a high performance. encrypted by respectively different code encryption keys 

In order to acbkve the first object, the first aspect of the from an external memory. A code decryption tmit that 

present invention has the following fcamrcs. The micmpro- prt)vides a second decryption function decrypts these plu- 

ccssor which is formed as a single chip or a single package rality of read out programs. The instruction execution unit 
reads a plurality of programs encrypted by using code (it> cJtecuies these phiraliiy of decrypted programs. 

encryplioD keys that are diCferenl for diHerenl programs. In the case of inlerrupling Ihe execution of .some program 

from a memory' (a main memory, for example) external of among the pliu-ality of programs, a random number gencra- 

Ihc microprocessor through a bus interface unit that provides tion mechanism generates a random number as a temporary 

a reading function. Adecryplion unit decrypts these plurality key. The context inlormalion encryption/decryption unit 
of read out programs by using respectively corresponding 65 writes a first value obtained by encrypting infonnadon 

decryption keys, and an instruction execution unit executes indicating the execution slate of the program to be inler- 

these plurality of decrypted programs. rupled by using the random number, a second value obtained 
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by enurjpling this random number by using the cckIc encryp- 
tion key of the program to be intcrniptcd, .nnd a third value 
obuineil by eDcrypLing this rHndum number by using Ihe 
secret key of the microprocessur, into the eixlemal memory 
as the context information. 

In the case of restart! the execution of the program, the 
context information encryirtion/decryption unit reads out the 
context information from the external memory, decrypts the 
random number of the third value contained in tlie context 
information by iising the secret key, and decrypts the execu- 
tion state information contained in the context information 
by using the decrypted random number. At the same time, 
the random number of the second vahic contained in the 
context information is decrypted by using the code encryp- 
tion key of the program scheduled to be restarted. The 
random munbcr obtained by decrypting the second value by 
using the code encryption key and the random number 
obtained by decrypting the third value by using the secret 
key are ctimpared with Ihe temporary key» and the execution 
of the program is restarted only wIkd they coincide. 

In this way, the context informalion indicating the slnte of 
execution up to an interrupted point is encrypted by using 
(he random number that Ls generated at each occasion of the 
storing, and the signature using the secret key unique to the 
microprocesvsor attached, so that the context information 
can be stored in the external memory safely. 

In order to achieve the first to third and sixth objects, the 
third aspect of the present invention has the following 
features, llie inicropmcess^^r that is formed as a single chip 
or a single package reads out a plurality of programs 
encrypted by using the encryption keys that arc different for 
different programs, and executes them, 'this microjirocessor 
has an internal memory (a register, for example) that cannot 
he read nut to the external, and stores the encrypted 
attributes for data to be referred from each program (that is 
the processing target data) and the encrypted attribute sped- 
lying information into Ihc register. The context information 
encryption/decryption unit writes a related information that 
is related to the encrypted attribiuc specifying information 
stored in ibe icgiskT and containing a stature unique to the 
microprocessor, into the external memory. Aprotection table 
management unit reads the related informadon Jxom Ihe 
exlcmul memory according to ud address uf the data to be 
referred by the program. The verilication unit verities the 
signature contained in the read out related information by 
usmg the secret key, and permits the data referring by the 
program according to the encrypted attribute specifying 
iidbrmation and the read out related infonnation only when 
that signature coinckles with Ihe signature unu|ue to the 
microprocessor. 

In this configuration, the information to be suved In the 
internal register is attaclied with the signature and stored into 
the external memory, and only the necessary jx^rt ion is read 
nut to the microprocessor. 'Hie signature is verified at a time 
of reading, so that the safety against the substitution can be 
secured. Lven when the number of pmgrams to be handled 
is increased and the number of the encrypted attributes is 
increased, there is no fieed to expand the memory region 
inside the microprocessor so that a cost can be reduced. 

According to one aspect of the present invention there is 
provided a microprocessor having a unique secret key and a 
unique public key corresponding to the unique secret key 
(hat cannot be read out to external^ comprising: a reading 
unit configured to read out a plurality of programs encrypted 
by using diHereni execution code encryption keys from an 
external menoory; a decryption unit configured to decTypt the 



25 



30 



55 



60 



65 



plurality of programs read out by the reading unit by u.sing 
respective decrypdon keys; an execution unit configured to 
execute the plurality of programs decrypted by the decryp- 
tion unit; a context information saving unit configured to 
save a context information for one program whose execution 
is. to be interrupt ett, into the external memory or a context 
inforniatlon memory provided inside the microprocessor, 
the context information containing information indicating an 
execution state of the one program and the execution code 
encryjrtion key of ilie one program; and a restart unit 
configured to restart an execution of the one program by 
reading out the context information from the external 
memory or the context information memory, and recovering 
the execution state of the one program from the context 
information. 

Other features and advantages of the present invention 
will become apparent fcom the following description taken 
in conjimction with tbc accompanying drawings. 

BRlEt* DESCRIKnON OF THE OKAWINGS 

FIG. 1 is a block diagram showing a system incorporating 
a microprocessor according to the lirst embodiment of the 
present invention. 

I'Ki. 2 is a diagram showing an entire memory i^ace used 
in the micrupruoessor of FIG. 1. 

I'Ki. 3 is a bk)ck diagram showing a basic o'^nfiguration 
of a microprocessor according to the second embodiment of 
the present invention. 

FIG. 4 is a block diagram showing a detailed configura- 
tioD of the microprocessor of FIG. 3. 

FIG. 5 is a diagram showing a page directory and a page 
table format useil in Ihe microprocessor of FIG. 3. 

FIG. 6 is a page table and a key entry format used in the 
microprocessor of I Kl. 3. 

FIGS, 7A and 7B arc dia^ams respectively showing 
exemplary data l")efore and after interleaving used in the 
microprocessor of FIG. 3. 

FIG. 8 is a diagram showing a Uow of inlbimation fbr a 
code decryption processing to be carried out in the micro- 
processor of FIG, 3. 

I IG. 9 is a diagram showing a CPU register used in the 
microproces.sor of FIG. 3. 

l-Ki. 10 is a diagram showing a ci>nlext saving format 
used in the microprocessor of FIG. 3. 

FIG. 11 is a flow chart for a protection domain switcJiing 
procedure to be carried out in the microprocessor of FIG. 3. 

FIG. 12 is a diagram showing a flow of infonnation for 
dala enuryplion and decryplion processing to be carried out 
in the microprocessor of FIG. 3. 

FIG. 13 is a diagram conceptually showing a process of 
execution control wtthin a protection domain by the micro- 
processor of FIG. 3. 

I'Ki. 14 is a diagram conceptually showing a process of 
call up and branching from a protcclion domain to a non- 
proteaion domain by the microprocessor of FIG. 3. 

FIG. 15 is a diagram showing a context saving format 
used in a conventional processor. 

DETAILED DESCIUPTION OF THE 
PRUI'LRRLiI) UMUOniMUN l'S 

Referring now to FIG. 1 and FIG. 2, the first embodiment 
of a tamper resistant micropiocessor according to the present 
invention will be described in detail. 
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This liibL cmbcxlinienl is direcled to a microproccssur for 
prulecling secr&ls ul the program instruclions (cxcculioa 
codes) and the aintext information (execution state) which 
are to lie provided in encrypted forms by using the jniblic 
key (asymmelnc key) cryplosystem. Ijoid a user of a tJirget 
system. 

FIG. 1 shows the target system, where a micropiotx^ssur 
2101 of the taigel syslem is connected to a main memory 
2103 through a bus 2102. 

As shown in FIG. 1, in this embodiment^ the micropro- 
cessor 2101 has a register file 2111, an instruction execution 
unit 2112, an instruction buU'er 2113, a pubh'c key desci>'p- 
lion funaion 2114, a secret key register 2115, a common key 
decryption function 2116, a common key register 2117, a 
IHU (HMf. Interface Unit) 211H. a register buffer 2119, a 
public key register 2120, an encryption funciion 2121, a 
decryption function 2122, and a previous cummoo key 
register 2123, which will be described in further detail 
below. 

First, the terms to be used in the following description will 
be described, and the operation of general ojjerating sy.stem 
(OS) and application programs will be described briefly. A 
program is a set of data and a scries of maebioe language 
instructions written for some specific purpose. The OS is a 
program for managing resources of the system, and die 
applkdliun is a program to be operateil under the resource 
management of the OS. This embodiment presupposes the 
multi-task system, so that a plurality of application programs 
will be operated in a quasi parallel manner under the 
management of the OS. Each one of these programs that arc 
operated in the quasi parallel manner will be referred to as 
a process. There are cases where a set of processes for 
executing the processes for the same purpose will be 
referred to as a task. 

The instmctions and data of the application program arc 
usually stored in files on a secondary memory. They arc 
arranged on a memory by a loader of the. OS and executed 
as a process. The execution of the program is often inters 
ruptcd by an exception (or interruption) processing of the 
processor caused by input/output or the like. A program for 
carrying out the exception processing will be reUened to as 
an exception handler. The exception handler is usually set up 
by the OS. The OS can process an exception request from 
the hardware, interrupt the operation of the appUcalion and 
restart or start the operation of another application at arbi- 
trary timing. The interruptions of the process include tran- 
sitory cases where the execution of the original process is 
restarted without switching processes after the execution of 
the exception handler, and cases requiring the process 
switching. Examples of the former include a simple timer 
increment and examples of the latter include a virtual 
menx>ry processing due to tlic page exception. 

The object of this embodiment is to protect the program 
instructions (cxcaition codes) and the execution state from 
a user of Ibe target sy.slem who can Jreely read the main 
mcn(X>ry of the target system and freely alter die OS program 
or application programs. 

The basic features for achieving this object arc the access 
control with respea to the infx^rmation storage in.Mde the 
processor and the encryption based on the information listed 
below. 

(1) A common key Kx selected by a program cTealor, The 
application program will tic encrypted hy the secret key 
cryt)tosysicm iL^ing this key. 

(2) A pair of a unique public key Kp and a unique secret 
key Ks provitled inside the proces.sc>r. The public key can be 
read out by the program by using instructions. 
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(3) An encr>'ption key information in which the conunon 
key Kx of the program is encrypted by using the public key 
Kp of the processor. 

[Execution of a Plaintext Fnngram] 
^ 'ibis prix:cfisor is capable of executing a program with 
coexisting plaintext instructions and encrypted instructions 
which is placed on the main memory. Here the operation 
inside the CPU for the execution of a plaintext program will 
be dcsaibcd with references to FIG. 1 and a memory 
^'^ arrangement shown in HG. 2. 

FIG. 2 shows an entire memory space 2201, in which 
programs are placed in regions 22U2 to 2204 on the main 
memory, where regions 2202 and 2204 are plaintext regions 
while a region 2203 is an encrypted region. A region 2205 
stores a key information to be used in decrypting the region 
2203. 

The execution of the program is started as the contAM is 
shifted fA->m tlie OS by an instruction for jump to a Uip X of 
20 the program or the like. The instmctioTi execution unit 2112 
executes tlie instruction fnr jump to X, and outputs an 
addresAof the instruction to the HIU 21t8,'l'he content of the 
addrefw> X is read through the bus 2102, sent from the BIU 
2118 to the instruction buffer 2113, and sent to the instnic- 
25 tion execution tmit 2112 where the instruction is executed. 
Its operation result is reflected in the register file 2111 . When 
the operation target is reading/writing with respect to an 
address on the main memory 2103, its address value is sent 
to the "RIU 2118, that address is outputted from the BTU 2118 
JO to the bus 2102, and data reading/writing with respea to the 
memory is carried out. 

The instruction buffer 2113 has a capacity for storing two 
or more instructions, aiKl the instructions corresponding to a 
toze of the instruction buffer 2113 are collectively read out 
35 from the main memor>' 2103. 

[lixecution of Lncrypted Instructions] 

Next, the czsa of executing an encrypted instruction will 
1^ described. 'Ilie processor of this embodiment has two 
states including die execution of plaintext instructions and 
the execution of encrypted instmctions and two types of 
instmctions for controlling these states arc provided. One is 
an encryption execution start instruction for making a tran- 
sitinn from the execution of plaintext instnictions to the 
_ execution of encrypted instructions, and another is a plain- 
text retum instruction for maidng a reverse transition. 

[Encr>'ption Execution Start Instruction] 

The encryption execudon start instruction is denoted by 
the following mnemonic "cxccenc" and takes one operand: 

^'^ twenc keyaddr 

Where "kcyaddr" iodicatcs an address where the key infor- 
mation to be used in decryjiting tlie sulisequent instructions 
is stored. 

55 [Key Information] 

Here, the key information and the program encryption 
will be described. The encr>'pted region 2203 comprises a 
sequence of encrypted instructions. The instmctions arc 
subdivided into blocks in tmits of a prefetch queue size and 

00 encrypted by the secret key algorithm such as DES (Data 
Encryption Standard) algorithm. A key to be used in this 
encryption will be denoted as Kx hereafter. Since the secret 
key algorithm is used, the same key Kx is also used for the 
decryption. 

65 If this Kx is placed on the main memory in a plaintext 
form, a user who can operates the OS of the target system 
can easily read it and analyze the encrypted program. In 
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onWr lo preveni ihis, E;5,-^£Kx] obtained by encrypting Kx by 
using the public key Kp of ihe procesiior will be placed in the 
region 2205 of the memory. A top address of this region is 
indicated by **keyaddr"- 

II is ciypk>graphically (cumpulaliunally) impossible lo 
decrypt Kx from E^^Kx] unless one knows Ks oorrcspond- 
ing to tlie putilic key K\y. Oinsequeiitly, tlie secret of the 
program will never 1)e leaked to the aser as long as the user 
of the taigct systciii docs not know Ks. Hiis K& is stored in 
a form that cannot be read out from the cxtCToal, inside the 
processor. 'Hie pft->cessor can decrypt Kx internally without 
alluwiog the user U.i learn about it, and the processor can also 
decrypt the encrypted program by using Kx and execute it. 

In the following^ the encryption execution start instruction 
and the subsequent I be execuliun of the encrypted instruc- 
tion will be described in detail. I)y the execution of the Jump 
instruction in a region 2207, the control is shifted to the 
encryiJtion execution start instruction at the address *'start**. 
At the address indicated by the operand ''kcyaddr" of the 
encryjition execution .start instruction, the content of the 
specified region 2205 is read out to the infrtruction execution 
unit 21 12 of the processor as data, 'llie instruction execution 
unit 2112 sends this data Ej^Kx] to the public key deciyp- 
tinn function 2114. 'ITie public key decry^nion function 2114 
takes out Kx by decrypting lij^pfKx] Ivy using a secret key Ks 
unique to the processor which is stoccd in the secret key 
register 2115, and stores it i n the common key reg Ister 2117. 
Then, the processor enters tbc encrypted instruction execu- 
tion state. 

Here, it is assumed that tbc processor packagjc is manu- 
factured such that tbc contents stored in the secret key 
register 2115 and the common key rcg;istcr 2117 cannot be 
read out to die external by tbe program or Hac debugger of 
the processor cliip. 

By executing Ihe encryption execution start instruction) 
the key to be used in decrypting the subsequent instructions 
is stored into the cxjmmon key ieg;isier 2117, and the 
processor is entered into the encrypted instruction execution 
State. When the processor is in the encryptc<l instruction 
execution state, tbe instructions read Irom Uie main memory 
2103 are sent from the BIU 2118 lo a common key decryp- 
tion luDciion 2116, decrypted by using the key iufonnaiion 
stored in tbe commun key register 2117 and stored into the 
iustriiction buffer 2113. 

In this embodimenit the program eacrypied by using the 
key Kx which is stored in the region 2204 next lo the 
encryption execution start instriiction will be decrypted, 
stored in the instniclioii buHer 2113, and executed. Hie 
reading is carried out in units of a size of the instruction 
buffer 2113. IIG. 2 shews an exemplar^' case wheie the size 
of the instruction buffer 2113 is 64 bite, and four instructions 
of 16 bits size each are collectively read out to the instruc- 
tion buffer 2113. 

[Plaintext Kecurn Instruction] 

'Hie processor in the encrypted instruction execution state 
returns to the plaintext instruction execution state by the 
execution of the plaintext return instruction. 

Tiie plaintext return instruction is denoted by tbe follow- 
ing mnemonic: 

exiieiic 

which lakes no operand. By execution of ihis ioslruction, the 
reading of the instructions from the main memory 2103 is 
carried out Ibrougb a path thai dues nol pass Lhiough the 
common key decryption function 2116^ and the processor 
returns to the execution of tbc plaintext instructions. 

Note that when the encryption execuliun start inslruaioQ 
is executed again during the execution of tbe encrypted 



53,374 B2 

12 

inslruciiun» the instruction decryption key is changed such 
that the subsequent instructions are decrypted by using a 
different key and executed. 

[C^onlexi vSaving and Attack Against It] 

5 Next, the sale saving of the execuliun slate in order to 
protect the secret of the application program in tbc multi- 
task environment will be descril^ed. 

The register fflc 2111 of tbis processor has 32 general 
puri)ose registers (KO to K31). K31 is used as a program 
counter. 11ie contents of tl» general purpose registers arc 
stoicd in the register file 2111. When the exception occurs 
during the execution of the encrypted program as described 
above, the contents of the register file 2111 arc moved to the 
icgistcr huflfcr 2119, and the contents of the register file 2111 

^5 arc initialized by a prescribed value or a random number. 
Then, the value of tbc common key tised for decryption of 
the encrypted program is stored in the prcvioiw common key 
register 2123. Only when these two types of initialization arc 
completed, tbe control is shifted to the exception handler and 

2^ the instructions ol the exception handler are executed. The 
instructions of the exception handler arc assumed to be 
non-encrypted. 

By this register file initialization fuiK'lion, in tbe processor 
of this embodiment, the reading of the register values 

25 processed by the encr>'pied program by the exception han- 
dler program is prevented even in the case where Ihe control 
is shifted to the exception handler as an exception occurs 
during the execution of the encrypted program. At Ihe same 
time, the contents of the register file 2111 are saved in the 

30 i^^^l'^i' buffer 2119, and there is a Tunction Tor recovering 
Ihe register buffer contents and lor storing Ibem into the 
memory as will be described below, so as to enable the 
leslarl of the encrypted program. 

Now, tlie register contents stored in tlie register buffer 

35 2119 cannot be read out directly from tbe uou-eocrypted 
pmgrain of the exception tiandler. 'Hie non-encrypted pm- 
grani of the exception handler is only allowed to perform the 
following two operations with respect lo Lhe register buffer 
2119. 

(1) Recover tbe register buflRsr contents and restart the 
execution of the original encrypted program. 

(2) lincrypting the regi.ster buffer contents and store them 
into the memory, and execute the OS program or another 
encryi>ted program. 

45 I n the case of (1 ), when tbe exception handler processing 
such as the inacmcnt of the cotmtcr is finished, the excep- 
tion handler Issued a '"cont" (continue) instractkin. When the 
'-'oonf ' instniclion is executed, the contents of tbe register 
buffer 2119 and tlie previous common key register 2123 are 

jj,^ recovered in the register file 2111 and the common key 
register 2117, respectively. The program counter is con- 
tained in the register file 2111, so that the execution of the 
encrypted program is restarted by setting the control back to 
a point where the execution of the encrypted program was 

55 interrupted. For lhe tlecryplion ol* lhe encrypted program 
after the restart, the value recovered from the previous 
common key register 2123 will be used. Similarly as the 
contents of the register buffer 2119, the program cannol 
rewrite the previous common key register 2123 explicitly. 

The case of (2) corresponds lo lhe case where the process 
switching occurs at a timing of tbe execuliun ol lhe excep- 
tion handler. In this case, tbe exception handler or a task 
dispatcher of lhe processor issues a '^.savereg** (save register) 
instruction lor saving tbe contents oC Lhe register buffer 2119 
into the memory. This "savereg" instruction is dcnotetl by 
lhe following mnemonic: 

(iBvcrs^ dent 
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sinci lakes one operand "desl" iadicaliag an address Lu which 
the register buffer cooteats arc lo be saved. 

When Ihe *'savereg" insiruclion is issued, the conlenLs of 
Ihe regisier buHer 2119 and ihe previous common key 
register 2123 are eocoipled by the encryption function 2121 
by using ihe public key Kp of the processor slored in the 
public key register 2120, and saves at an address on the main 
memory 2103 specified by ''desr" through the 13IU 2118. ITie 
main memory 21(B is ouLside the processor so that it has a 
possiliility of being accessed by the user, but these contents 
are encrypted by the public key of the processor so that the 
user who does not know the secret key of the processor 
cannot learn the register bufifer contents. 

After the register buffer contents arc saved, the OS 
activates another encry|ited program by the method 
described above. If another encrypted program is activated 
without saving the register buffer contents, the register 
hulTer contents would be rewritten to those nf another 
encrypted program when tbc execution of anotber encrypted 
program » interrapted, and h would become impossible to 
restart the original encrypted program as the register bufOcr 
contents for tbc original encrypted program arc lost. 

Here, the number of the register buffer is assumed to be 
one, but it is also possible to provide a plurality of register 
buffers so as to be able to deal with multiple exceptions. 

[Recovery Procedure] 

Next a proccdtirc for recovering the saved execution state 
will be described. 

At a lime of rcstaniog the interrupted application, a 
dLspaicher of the OS issues a "'rcvrreg" (recover regisier) 
in.slruclion. This ''revrnsg" instruction is denoted by the 
following mnemonic: 

TLvrreg ackh* 

and lakes one operand "addr"* indicHling an address al which 
the execution state is saved. 

When the ''rcvrreg" iaslruciion is issued,, Ihe encrypled 
execution slate inlonDaiion is uken out irom (he address of 
the memory specilied by ''addr" by Ihe BIU 2118 of the 
processor, decrypted by using the secret key Ks of the 
processor by the decryption function 2122, and Ihe register 
information is recovered in the register file 2111 while the 
program decryption key is recovered in the a>minon key 
regisier 2117. When Ibe recovery is completed, Ihe execu- 
tion of the interrupted program is restarted from a point 
indicated by the prrygram counter. At this point, the key Kx 
recovered from the execution state information will he used 
for decryption of the encrypted program. 

The detail of tbc saving and the recover)' of tbc execution 
state in relation to the intern:^tion of the encrypted program 
due to exception has been described above. As already 
described above, the cnci>'pted programs are safe against 
attacks from the user who can operate the OS of the target 
system. 

Kcxt, the safety of the above described scheme against 
two types of attacks against the execution state will be 
described. 

[Attacks Against the Execution State] 

There arc two types of attacks against the execution state 
that is generated in a process of the application execution. 
One is the peeping of the saved execution stale by an 
attacker, and the other is the rewriting of the execution state 
lo a desired value by an attacker. 

Here, the following two lenns for expressing the illegal 
accesses to the execution state will be defined. First, the 
program that has generated the execution stale will be 
referred to as an original program for that execution state. 
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The original program can be restarted by recovering the 
execution state in the registers. On the other hand, programs 
other than the program that has generated Ihe execution 
stale, that Ls programs encryptwl by encryption keys dilfer- 

5 eot from that of the original program or plaintext programs, 
will be referred to as other programs. 

The illegal accesses or ttie attacks with resiwct to the 
execution state generated by some original program are 
defined as an act of directly analyzing tlie execution slate on 

11) the memory by some method independently from the opera- 
tion of the processor by a third party who does not know the 
encryi>tion key of the original program, or an act of analyz- 
ing the execution state or rewriting the execution state to a 
desired value by a third party utili^ng the other programs 

15 operated on die same processor. 

In the microprocessor of this embodiment, the execution 
state is protected by the following three types of mecha- 
nisms so as to prevent the illegal accesses utilizing the 
access to the memory external of the processor or the other 

20 pmgrains. 

First, in this embodiment, the register information is 
saved in the regbtcr buffer 2119 when the execution of tbc 
encrypted program is interrupted. Tben^ the register buffer 
2119 and the previous common key register 2123 cannot be 

25 accessed by any methods other than that using the "rcvrreg** 
instruction or tbc "savereg" instruction, so that the other 
programs cannot read their contents freely. 

In the conventional procesiior, ihe regisier contents al a 
time of the cxccptk>n occurrence can be ficcly read by the 

30 exception handler program. In the microprocessor of this 
embodiment, ibe register cunlents are save<l in the regisier 
buffer 2119 so as to prohibit the reading firom the other 
programs, and the insiruaion for saving the register buffer 
contents by encrypling them by using the public key of the 

B5 prcK'essor is provided so as to prevent the peeping of the 
execution stale saved on the memory by ihe user ol the 
sysiera. 

The second attacking method includes a method! for 
reading values of the registers contained in Ihe execution 

4i> state t)y placing ilie instruction of some other program 
known to Ihe attacker al Ihe same memory acklress as the 
original program such that this otiier program reads the 
encryjited execution state. 

In Ihe microprocessor of this embodimeni, the encrypted 

45 execution state contains the program encryinion key, and 
this key will be used in decry]>ting the encrypted program at 
a time of restart iiecau.se of this mechanism, even when the 
other program other than the original xerogram attempts to 
read the excxrutioa state, the key for docs not match so that 

51) the program cannot be decrypted correctly aixl the program 
cannot Ik executed according to the intention of the attacker. 
Thus the second attacking method is impossible in the 
microprocessor of this embodiment. 
This cfiGect cannot be realized by simply encrypting the 

55 execution state itscff by tbc public key of the processor, but 
can be reaEzcd by encrypting the decryption key of tbc 
original program and tbc execution state integrally. 

Note that, in order to maximize this effect, values of the 
registers (RO to R31) and the common key Kx should 

tio preferably be stored in the identical cipher block at a time of 
the encryption using the public key. 
[Data Protection] 

In the microprocessor of this embodiment, the encryption 
of the data is not accounted, but it should be apparent to 
(i5 those skilled in the art that it is possible to add the data 
encryption function lo the microprocessor of this embodi- 
ment similarly as ihe data encryption in the microprocessor 
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Tor supp<.>rlmg ihe virtual memory which will be described 
in the second embodiment. 

Kefemng nnw to J-'Ki. 3 to VtCi. 14, the second enibtxli- 
nient of a tamper resistant niicropax;cssor acoirding to the 
pieiMiDl. invention will be described in detail. i 

la this embodiment, the microprDccssor according to the 
present invention will be descril^ed for an exemplary case of 
using an architecture based on the widely used lA^ntium Pro 
oiicroproccssor of the Intel corporation, but the present 
invention is not limited to this particular architecture. In the 
following denser iptinn, features specific to the Pentium Pro 
micruprocessur Hrchilecture will be noted and applications 
to the other architectures will be mentioned. 

Note that the Pentium Pro architecture distinguishes three 
types of addresses in Ihe address space including physical 
addresses, linear addresses and logical addresses, but Ihe 
linear addresses in the Pentium terminology will also be 
referred to as logical addresses in this emlxidiment. 

Id the Lbllowing description, the prutecLiun implies Ihe 
protection of secrets of applicaiioos (thai is the pruleclion by 
encry]3tion), unless othen^'ise stated. Cjoiisequently, the pro- 
tection in this cmtx)dimcm should be clearly distinguished 
from the ordinarily used concept of protection, that is the 
prevention of disturbances on the operations of the other 
applicaiioiis due to the operation of some application. 
However, in the present invention, it is assumed that the 
operation protection mechanism in the ordinary sense is of 
course provided by the OS (although the description of this 
aspect will be omitted as il is unrelaleil lo the present 
mvention), in parallel to the protection of secrets of appli- 
cations according to the present invention. 

Also, in the lollowing description, a machine language 
instructions that arc executable by the processor will be 
referred u> as instructions, and a plurality of instructions will 
be uolleclively relerred lo as an execution code or an 
instruction stream. A key used in encrypting I be inslrucliou 
stream will be referred lo as ihe execution code encryplion 
key. 

Also, in the following description, the secrel proteciion 
mechanLsm will be described as protecting secrets of appli- 
cations under the management of the OS, Imt this mecha- 
nism can ako be ulili^eil as a meuhanism for protecting the 
OS itself from aUeration or analysis. 

I 'Ki. 3 shows a basic config:uration of the microprocesfior 
acconling lo this embodiment, and FIG. 4 shows a detailed 
configuralion of the micropmccs.<»r shown in M(j. 3. 

'Hie micmpn'xressor 101 has a processor core til, an 
instruction TIA% (l^b\c Ijooloip Huffer) 121, an exception 
processing unit 131, a data '11 M (Table I jookup I Suffer) 141, 
a secondary cache 152. The processor core 111 includes a bus 
interface unit 112, a code and data encryption/decryption 
processing unit 113, a primary cache 114, and an instruction 
execution unit 115. 

'Ilie instruction execution unit 115 further includes an 
instructioQ fctch^'dccodc unit 214, an instruction tabic 215, 
an instruction execution switching unit 216, and an instruc- 
tion execution completing unit 217. 

The exception processing unit 131 funhcr includes a 
register file 253, a context informatinn encryption/ 
decryption unit 254, an exception processing tmit 255, a 
secret protection violation detection unit 256, and an execu- 
tion code encryption key and signature verilication unit 257. 

The instruction TLB 121 further inchidcs a page tabic 
buller 23(1, an execittion code decryption key table buHer 
231, and a key decryption unit 232. The data TLB 141 
further includes a protection table management unit 233. 

The microprocessor 101 hHs a key storage region 241 for 
storing a public key Kp and a secrel key Ks which are unique 
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to this microprocessor. Now, consider the case of purchasing 
a desix^cl execution program A from some program vendor 
and executing il. The program vendor encrypts the program 
A by using a common execution code encryplion key Kcode 
(Ljrrv-i*[A]) before .supplying the execution program A, and 
seixls the common key Kcode used lor encryplion in a form 
encrypted by using the public key Kp of the rnicroproces.<ior 
101 (i:^^[KiXide]) to the microprocessor 101. 'Ibe micro- 
processor 101 is a muhi-task processor whidi pixicesses not 
ii» only this execution program A but also a plurality of 
different encrypted programs in a quasi parallel manner (that 
is by allowing interruption.^*). Also, the microprocessor 101 
obviously executes not only the encrypted programs but also 
plaintext programs. 
15 'llie micropmoes.sor 101 reads out a jilurality of programs 
encrypted by using different execution code encryption keys 
from a main memory 281 external of the micropmcessor 101 
through the Inis interface unit (reading function) 112. The 
execution code decryption unit 212 decrypts these plurality 
2r> of read out programs by asing respectively corresponding 
decryption keys, and the instruction cxcoition unit 115 
executes these plurality of decrypted programs. 

In the case of interrupting the execution of some program, 
the context information encrypiioa'dccryption imit 254 of 
25 the exception processing unit 131 encrypts infonnation 
indicating the execution state up to an interrupted point of 
the program to be interrupted and the code encryption key of 
this program by using the public key of Ihe microprocessor 
101, and writes the encrypted infonnation into the main 
^0 memory 281 as the context information. 

In the case of reslarting Ihe interrupted program, the 
execution code encryption key and signature verification 
unii 257 decrypts ihe encrypted context information by 
using ihe secret key of Ihe micrtiprocessor 101, verilies 
*3S whether the execution code encryplion key contained in the 
decry pUid context information (thai is the execution code 
encr>*plionb key of ihe program scheduled lo be restarted) 
coincides with the original execuiion code encr>'piion key of 
the inU^rrupled program, and restarts the execution of the 
40 program only when they coincide. 

Here, belbre describing the detailed conilguration and 
functions of the microjirocessor 101, the processing proce- 
dure for the execution of plaintext instructions and the 
execution of encrypted programs by the microprocessor 101 
45 will be outlined. 

When the microprocessor Ipl executes a plaintext 
instmctinn, tlie instruction fetch/decode unit 214 attempts to 
read the content of an address indicated by a program 
counter (not shown) from an LI instruction cache 213. If the 
5i> concent of the specified address is cached, the instruction is 
read out from the 1.1 instruction cache 213, sent to the 
instruction cable 215, and executed. The instruction table 

215 is capable of executing a plurality of iastmctions in 
parallel, and icqucsts reading of data necessary for canrying 

55 out the execution to the mstruction execution switchmg unit 

216 and receives the data. When the instructions are 
executed in parallel and their execution results are 
determined, the execution results arc sent to the instrucHon 
execution completing unit 217. The instruction execution 

60 completing vinit 217 writes the execution result into the 
register 0le 253 when Ihe operation taigel is a regisier inside 
the microprocessor 101, or into an LI data cache 218 when 
the operation target is a memory. 
The conieni of the LI data cache 218 is cached once again 
OS by an L2 cache 152 under the control of the bus interface 
unit 112, and written into the main memory 281. Here, the 
virtual memory mechanism is used, where a correspondence 
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between (he logical memorj' atWress and Ihc physical 
memory address Ls defined by a page table shewn in VIO, 5. 

The page table is a dula structure placed od the physical 
memory. The data TLB 141 actually carriei»oui a c<.mversion 
£fom the logical addicss to the physical address, and at the 
same time manages the data cache. The data TLB 141 reads 
a necessary portion of ttie table according to a top address of 
the table indicated by a register inside die micropiocessor 
101, and carries out the oix;ration for converting the logical 
address into the physical address. At this point, only the 
oeoessary portion of the page table is read out to a page table 
buflvr 234 according to the logical address to be acceSvSed, 
rather than reading out the entire page table on the memory 
to the data Tr.n 141. 

'llie basic cache operation is stable regardless of whether 
the instructioiis of the program arc encrypted or not. Namely, 
a part of the page table is read out to the instruction TT.B 
121, and the address conversion is carried nut according to 
the definition contained therein. The bus interface unit 112 
reads instructions from tlie main memory 2Ht or the T2 
cache 152, and instructions are stored in the LI instruction 
cache 213. The reading of instructions out to the LI instruc- 
tion cache 213 is carried out in units of a line fonncd by a 
plurality of words, which enables a faster access than the 
reading in word units. 

The address convcision utilizing the same page table on 
the physical memory is also carried out for the processing 
tai^et data of the executed instructions, and the execution of 
the conversion is carded out at the data TLB 141 as 
described above. 

The operation up to this point is basically the same as the 
general cache memory operation. 

KexL, (he opera lion in (he case of executing an encrypted 
program will be described. In this embodiment, it is assumed 
thai the execution cxules for which secrets are to be protected 
are all encrypted, and the encrypted execution codes will 
also be referred to as protected cotles. In addition, a range of 
the protection by the same encryption key will be referred to 
as H protection domain. Namely, a set of codes protected by 
the same encryption key is belonging to Uk same domain, 
and codes protected by dillerent encTyptiun keys are belong- 
ing to different protection domaias. 

I'irRt, the execution codes of a program encrypted by the 
secret key scheme block cipher algorithm are stored on the 
main memory 281. A method for loading the encrypted 
program transmitted from a program vendor will be men- 
tioned below. 

A cix>her block size of the execution codes can l>e any 
value as long as two to the power of the block size coincides 
with a line size that is a unit for reading/writing with respect 
to the cache memory. I lowever, if the block size is so small 
that a bbck length oomcidcs widi an instrucdon Ici^h, there 
arises a possibility for analyzing the instruction easily by 
recording a correspondence between encrypted data and a 
predictable portion of the instruction such as a top portion of 
a sub-routine. For this reason, in this embodiment, the 
blocks are mccrlcaved such that there is a mutual depen- 
dency among data in the blocks and ttic cncrj'ptcd block 
contains information on a plurality of instruction words or 
operands. In this way, it is made difficult to set a coircspon- 
dence between the instruction and the encrypled block. 

FIGS, 7Aand 7B show an example of the interleavmg tliat 
can be use^l in this embodiment. In this example, ii is 
assumed that ihe line size o£ the cache is 32 bytes and the 
block size is 64 bits (i.e., 8 bytes). As shown in FIG. 7A, 
before the interleaving, one word is Ibrmed by 4 bytes, so 
thai a word A is formed by 4 byles of AO to A3. One line is 
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ibrmed by 8 words of A to H. When this is interleaved in 
units of 8 byles corresponding to the block size of 64 bits, 
as shown in I'lG. 7U, AO, UO, . . . , 110 are arranged in the 
first block corresponding to word 0 and word 1, Al, HI, 

5 HI are arranged in the next block, and so on. 

An attack can be made more difiScidt by setting a length 
of a region to lie interleaved longer, liut the interleaving of 
a region with a length longer than the line size makes the 
processing more complicated and lowers the pioccssing 
speed t>ccausc the decryption/encryption of one cache line 
would depend on reading/writing of another line. 'ITius it is 
preferable to set a range fiur interleaving within a range of 
the cache line size. 

Here the method for interleaving data of blocks is used 
such thai ihere is a mutual dependency among data in a 
plurality of blocks contained in the cache line, but it is also 
possible to use the other method for generating a depen- 
dency among data bUx:ks, such as the CBC (Cipher Bk)ck 
Chaining) mode of the block cipher. 

The decryption key Kcode (which will also be referred Lu 

ZD as the encryption key hereafter even in the case of decryp- 
tion because the encryption key and the deciyption key arc 
identical in the secret key algorithm) of the encrypted 
execution codes is determined according to the page tabic. 
FIG. 5 and FIG. 6 show a table structure of the conversion 

25 from the logical address to the physical address. 

A logical address 301 of the program cotmter indicates 
some value, and a directory 302 and a table 303 constituting 
its upper bits specify a page eniry 307-j. The page entry 
307-j contains a key entry ID 307-/-A; and a key entry 309-w 

30 to be u.sed for decryption of this page is determined in a key 
table 309 according to this ID. The physical address of the 
key table 309 is specified by a key tabic control register 308 
inside the microprocessor. 

In ihis uonilgii ration, the ID of Ihe key entry is sel in the 

jt5 page entry rather than setting Ihe key information directly, 
such that the key information in a large size is shared among 
a plurality of pages so as lo save a limited size of a memory 
region on the instruction TLB 121. 

In further detail, the page table and key table infurmation 

40 is stored Um the instruction VIM 121 as follows. Only 
portions necessary lor the access to the memory is read out 
from the page tallies 306, 307 and 311 to the page talile 
buffer 230, and from the key table 309 hi tlie execution code 
decryption key table buffer 231. 

45 I n a Mate of bei ng stored on the m ai n memory, a refere nee 
counter nf the key object 309-m which is an element of the 
key table 309 indicates the number of page tables that refer 
to this key ol^ject. In a state where tlie key ol^ject is read out 
to the execution code dccryptbn key talkie buffer 231, this 

5i» retbrenoe counter indicates the number of page tables that 
refer to this key object and that are read out to the page talile 
btiffer 230. Ibis reference counter will be used for judge- 
ment at a time of deleting any unnecessary key object fmm 
the execution code decryption key table buffi^r 231. 

55 Oik of the features of this cmboduuent is that the key 
table entry has a fixed length but a key length used in each 
table is made variable in order to be able to deal with a 
higher cryptoanalytic power, and specified at a key size 
region of the key table. It implies that the secret key Ks 

60 imique to the microprocessor 101 is fixed but the length of 
Kcode lo be used for encryption and decrypticm of the 
program can be changed by the specification of the key 
entry. In oriler lo specify a position of the variable length 
key, the key entry 309-wi has a lield 3U9-;?i-4 pointing lo the 

65 key entry, which indicates an address of the key objea 310. 
In the key object region 310, ihe execution cotle encryp- 
tion key Kcode is stored in u form Ej^Kcode] encrypled by 
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Ihe public key algorilhiD using ihe public key Kp oC the 
micrupracessor 101. In order to encrypt da I a saCely io the 
public key algnrithni, a large redundancy is necessary, so 
that a lengtb of the encrypted data beoi')nies longer than a 
lenglli uf the original ilala. Here, lengths oi' Ks and Kp are 
set to be 1024 bits, a length of Kcodc is set to be 64 bits, 
which is exteixled tn 256 bits by padding, and ii[Kcnde] is 
cncry{)ted in a lengtli of 1024 bits and stored in tlie key 
object region 310. When Kcodc is so long that it cannot be 
stored in 1024 bits, it is divided into a plurality of blocks of 
1 024 bits size each and stored. 

FIG. 8 summarizes the infurmulion ilow in Ihe code 
decryption. A program counter 501 indicates an address 
"Addr" on an encrypted code region 502 on a logical address 
s*pacc 502. The logical address "Addr" is converted into (he 
physical address "Addi"' according to the page table 307 
that is r&ad out to the instiuctioo TLB 121. At the sanoc time, 
the encrypted code decryptk>n key EpCcnde] is taken out 
Iiom Ihe key table 309, decrypted by using the secret key Ks 
provided io the CPU at a decryplioD function 506, and stored 
into a current code decryption key memory unit 507. The 
common key Kcodc for the code cocrypdoa is encrypted by 
using the public key Kp of the microprocessor 101 by the 
program vendor, and supplied atong with the program 
encrypted by using Kcode, so that the user who docs not 
know the secret key Ks of the microprocessor 101 caimot 
know Kcodc. 

After the program execution codes are encrypted by using 
Kcode and shipped, the program vendor keeps and manages 
Kcodc safely such that its secret will ix>t be leaked to a third 
party. 

An entire key table 511 and an entire page table 512 are 
placed in a physical memory 510, and their addresses arc 
speciliwl by a key table register 508 and a CR3 register 509 
respectively. From the contents of these entire tables, only 
necessary portions are cacbied into the instruction TLB 121 
through Ibe bus inlerlace unit 112. 

Now, when a coniem 503 corresponding to the physical 
address "AiUlr'** as converted by the instruction TLB 121 is 
read out by the bus interface unit 112, this page is encrypted 
sn that it is decryiJted at a code decryiJiion function 212. Ilie 
reading is carried out in units of the cache line size, and after 
the decryption in lilock units, the inverse processing of the 
interleaving described al>ovc is carried out. Ilie decrypted 
result is stored in the LI instruction cache 213, and executed 
aft an instructjon. 

Here, the method for loading the encrypted program and 
the relocation of the encrypted program wilt be described. 
I'or the loading of a program into die memory, there is a 
metlx>d in which a program loader changes an address value 
contained in the execution codes of the program in order to 
deal with a change of an address for loadiiig the pmgrani,but 
this method is not applicable to the encrypted program. 
However, llie relocation of the encrypted pA^gram is pos- 
sible by using a mctliod of rcaliziag the relocation without 
directly rewriting the cxcaition codes by utilizing a tabic 
called Jtmip table or lAT (Import Address Table). 

Further details of the loading procedure and the relocation 
for general programs can be found, for example, in L. W. 
Allen ct al., *Trogram Loading in OSF/1, USENIX winter, 
1991, and the loading method and the relocation for the 
encrypted program can be found in Japanese Patent AppU- 
catioo No. 2000-35898 of the applicants. 

It is possible to protect the execution codes placed on Ihe 
memory external of the processor by the above described 
method for decrypting the encrypted execution codes of the 
program, reading ihem out to the cache memory inside the 
processor, and executing them. 
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However, (he execution codes that are decryptetl into 
plaintext can exist inside the processor. Even il it is impos* 
silile to read them out directly from outside the processor, 
there is a jjossiliility for tlie plaintext program to be read out 
5 and analyzed by the other programs that are opera led in the 
same processor. 

hi this emlxidiment, the key decryption processing by 
using the secret key 241 and the key decry|)tion unit 232 nV 
the instruction TLB 121 is not carried but at a time of data 
rcadmg into an LI data cache 218. When the data readmg is 
carried out with respect to an encrypted page for which an 
encryption Hag 307-J-E is set Io in the page table* either 
non-decrypted original data or data of a prescribed value **0" 
will be read out, or else an exception occurs such that the 
normally decrypted data cannot be read out. Note that when 
the encryption Hag 307-j-£ in the page table is rewritten, the 
dccr>'ptcd content of the corresponding instruction cache 
will be invalidated. 

By this mechanism, il becomes impossible for the other 
programs (including Ihe own program) to read the execution 
2r> codes of the encryjited program as data, and decrypt them by 
. utilizing functions of the processor. 

Also, the other programs cannot explicitly read data io the 
instruction cache^ so that the safety of the execiitioD codes 
can be guaranteed. The safety of the data will be described 
25 below. 

Because the cncr>'ptcd execution codes can be executed in 
this way, in the microprocessor of this embodiment, by 
selecting ihe encryption algorithm and parameters 
appropriately, it can be made cryplographically mipossible 

^0 lor a parly who does not know the true value of the execution 
code encryption key Kcode to analyze the operation of the 
program by dc-asscmblrng the execution codes. 

Thus the user c<)nnoi know the true value of the execution 
cotle encryption key Kcode, and il can be made cryplo- 

35 graphically impossible for ibe user to make an alteration 
according to Ihe user^s intention such as illegal copying of 
the contents hiindled by the application by altering a part of 
the encrypted program. 

Next, another feature of the microprcKessor of this 

41) embodiment regarding the encryption, signature and its 
verilication for the conlexl a I a lime of inierrupling the 
program execution under the mu1ti-ta.sl< environment will be 
described. 

The execution of ihe program under Ihe mulli-lask envi- 
4.5 lonment is often internq)ted by tlie exception. Normally, 
when the execution Ls interrui>ted, a state in the pmcessi'>r is 
saved on the memory, and tlien the original state is reorwered 
at a time of restarting tlie execution of that program later on. 
In this way, it becomes possible to execute a phuality of 
50 programs in a quasi parallel manner and accept the inter- 
mption processing. *l1iis information on the state at a time of 
the inteiruptk>D is called the comext ioformation, the context 
information contains information on registers used by the 
application, and in some cascs> information on registers that 
55 arc not explicitly used by the apphcation is also contained in 
addition. 

In the conventional processor, when the interruption 
occurs during the execution of some program, the contml is 
shifted to the execution codes of the OS while the register 

60 state of the apphcation is maintained, so that the OS can 
check the register slate of thai program to guess what 
instructions were executed, or alter the context information 
maintained in a plainlexl form during the interruption so as 
to change the operation of ihe program alter the restart of the 

65 execution of that program. 

In view of this fact, in this embodiment, when the 
interruption occurs during the execution of ihe piolected 
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colics, Ibe coniexl of Ihc cxeculioD immedialely before thai By ihc above feature (1), il is possible lo mainlain the 

iii encrypied and saved while all the applicaiion regisler^ are safely of the context iufor matioa while enabling the analysis 

either encrypted or initialized, and a signature made by tlie of the conlexl ioformatioD by Ihe program vendor. The fad 

processor is atuched to tlie contexx information. Hie signa- |ha| the program vciulor has a right lo analyze the coniex! 

lure is veriiied at a lime of recovery fn.im the interruption, 5 information is important in order to maintain the quaUty of 

to check whether the signature is proper or not. When the ,he program by analyzing causes of any trouble that 

imprtTper sjgnattire « detecte^d, the recovery Is stopped so occurred aca^rding to a coiidltioo by which the program Is 

that the illegal alteration of the context information bv the ^^^^ ^^j. * ^ 

user can be prevented At this pomt the cnci>-plion target ' ihe above feaiure (2) ineffective in preventing a situation 

registers arc user rcgistcis 701 to 720 shown m FIG. 9. ,.,1, , v »u • ^ . j i, 

liTthe Pentium Pro architecture, there is a hardware "^^^'^^^ f^^^^' W^'es the context generated by the 

mechanism for assisting Ihe saving of Ihe cxmtexi inlbrma- ^^ecuuon of a program A to another encrypted program 13 

tion of the process into the memory and its rccovcrv. A "^^f^^ program II from a known sute saved in the 

region for saving the slate is called TSS (Task State context in order to analyze secrets of the dau or tlie codes 

Segment). In Ihe following, an exemplary case of applying contained in the program B or ahcr the operation of the 

Ihc present invention lo this mechanism will be describetl, program IS. 'Ihls liinction is also a prerequisite for the data 

but the present invention is not Hmitcd lo the Pentium Pro protection lo be described below in which each one of a 

architecture, and equally applicable to any pmcessor archl- plurality of applications maintains own encrypted data 

lectures in general. exclusively and independently from die others. 

The saving of the context informalion in conjunction with By ttic above feature (3), it is possible to strictly eliminate 

the exception occurrence takes place in the following case, in the alteration of the- context Information utilizing an occa- 

When the exception occurs, an entry corre.sponding to the sion of the restart of the program. 

interruption cause is read oul Jjom a table calletl IDT Tlie reason for providing such a function is that simply 

(Tntcrrupl Descriptive Table) for describing the exception encrypting the context information according to the secret 

processing, and the processing described there is executed, information of the processor can protect the context infor- 

When die entry indicates a l-SS, the ainlext infonnation 35 matiou from the aUcration according to the intention of the 

saved m the inchcaled TSS is recovered lo the processor. On attacker, but it is impossible to eliminate a possibility for the 

Uic other band^ the context mfoimation of the pro^ss that ^^^^^^ j^c context that rcsultein the restart of 

has been executed up until then is saved in the 'I'SS region ^^w.r-m ^rv^rv, « <.i.^i^ ^u^h.r^ 

specified by a task Agister 725 at that pomt. P^K"°^^^^™ » ^^^^ random eru^K. 

Using tWs automatic context saving mechanism, it is foUowmg, the context savmg and vcnlication 

possible to save the entire state of the application including ^ 'f*^*^^ mcorpora ting the above three leaUires will be 

the program counter and the stack pointer, and detect any ««scriDcd m furiher dclad. 

alteration at a time of the recovery by veiilying the signa- <Contcxt Savmg Proccssing> 

ture. However, when this automatic context savmg is used, i^^o^ context saving Ibrmat in this embodi- 

apan from the fact that a large overhead will be caused by muni conceptually. It is assumetl lhal Ihe inlerniplion due lu 

Ihe conlexl switching, Ihere arises a problem lhal il is ^5 Ihe hardware or software related cause has occurred during 

impossible lo carry out Ihe interruption processing without Ihe execution of the protected program. If the IDT entry 

using the TSS. corres*ponding to ihe inierniption indicates a TSS, the execu- 

In order to reduce the overhead due to the interruption lion stale of ibe program up to lhal point is encrypied, and 

processing, or lo maintain the compalibilily with Ihe existing saved as the conlexl inibrmation in a TSS indicated by the 

programs^ it is preferable not U> use tlw automatic context 40 current task register 725 (ratlier than the indicated I'vSS 

saving mechanism, bul in such a case, Itie program counter itself). Then, the execution stale saved in Ibe TSS indicate^l 

will be saved on the stadc and cannot be a target of the by tlie IITI' entry is recovered to the pmcessor. If the IIDT 

verification, so that it can be a target of the aheration by the entry does not indicate a I'SS, only the encryption or the 

malicious OS. These Iwo cases shouki preferably used in initiali:^alion of Ihe current registers is canied oul, and Ihe 

their proper ways according to the purpose, l or this reason, 45 saving inu^ the ISS does not takes place. Of course the 

the microprocessor of this embodiment adopts tlie automatic lestart of that program becomes jmpos.sib1e in that case, 

context saving with nei^ect to the protected (eiKrypted) Note however that the system registers Including a part of 

executmn codes as a resuh of attacliing more Importance to the flag registers and the task register are excluded from a 

the safety. The rcgistcn^ to be automatically saved may not target of the encryption or the initializatkm of the registers 

necessarily he all registers. so for the sake of continuation of the (XS operation. 

'Ihe context saving and recovery processing in this 'ITiecontentsnf the context shown in TK;. 10 are actually 

cmbodimcm has the foUowiog three major features. interleaved, CDCi>'ptcd in block units aud stored in the 

(1) Ihe contents of the .saved context can be decrypted memory. Here the information items to be saved will be 
only by the microprocessor that generated the context and a described first . At a top, stack pointers and user registers 802 
person who knows the encryption key Kcodc of tiic program 55 to 825 corresponding to respective privileged modes arc 
that generated the context. provided, and one word 826 indkating a TSS size and the 

(2) In the case where the program protected by some presence/absence of the encryption is placed next. This 
execution code encryption key X is intcrmptcd and its indicates whether the TSS in which the proocs.sor is saved is 
context is saved, its restart processing cannot be applied to encrypted or not. Even in the case where the TSS is 
the restart of a non-prolcctcd program or a program 60 encrypted, this region will be maintained in a plaintext form 
encrypied by another execution code encryption key Y without being encT>'pled. 

Namely, the program to be recovered from the interruption After that, data encryption control register (CYO to CY3) 

cannot be replaced by another program at a lime of the regions 827 lo 830 lhal are added for the purpose of Ihe data 

restart. protection are placed, and a padding 891 Cor adjusting the 

(3) The recovery of the altered context is prohibited. 65 size to the block length is placed. Finally, a value EJ^^.^^^,[K^] 
Namely, if the saved conlexl is altered, lhal conlexl will not 832 in which a key Kr used in encrypting Ihe context is 
be recovered. encrypied by the secret key algorithm using the execution 
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(xxle enciyplion key Kcucle, 3 value Ej^^XKr] 833 in which 
the key Xr used in cncfypting the context is eacrypted by 
using the public key Kp ol' the processor, and a sigmlure 
S^Jmesisage] 834 using Ihe siecrel key Ks> ot ihe processor 
with respect to theoi all are placed. Ako, a regioii 801 for a 
link Lo the previous lask thai mainUiins a call up reblionship 
among ta^ks is saved in a plaintext form in order to enable 
(he task scbediillug by the OS. 

'Iliese execution code encryption and signature generation 
are carried out by the context information encryption/ 
decryption unit 254 in the exception processing unit 131 
slK>wn in lies. 4, which ift based on a function independent 
from ttie encryption of the pmoeasing taj]g;et data of the 
execution codes. At a time of saving the context information 
in the *I^S, even if some encryptk>n isspecilied in an address 
of the TSS by the other data cnco'ption functioa, this 
specificaHon is ignored and the context information is saved 
in a state in which the context is encrypted. 1*his is because 
the encryption attributes of the data encryption function are 
siiecific to each protected (encry|>ted) pmgrain so that the 
restart of some program camiot depend on that function. 

In encrypting the context, a word in the TSS size region 
826 to be recorded in a plaintext form is replaced to a value 
"(T. Then, the interleaving similar to that explained with 
references to FIGS. 7A and 7B is applied, and the context is 
encrypted. At this point* the padding 831 is set to a size that 
enables the appropriate interleaving in accordance with the 
encryption block size. 

Here, the reason for not encrypting the register values 
directly by Ihe public key Kp of the pn>oesst>r or the 
execution code encTypiion key Kcode is to enable the 
analj'sis of the encrypted context by both the program 
vendor and the processor while pruhibiling the decrypiion of 
Ihe coniexl by the user. 

The program vendor krK)vvs the excculiou code encryption 
key Kcxide so thflt the program vendor can obtain the 
encryption key Kr ol the context by decrypting E^t^^wJ^Kr] 
832 by using Kcode. Also, the microprocessor 101 can 
obuin the encryption key Kr of Ihe context by decrypting 
lijsyXKr] 833 by using the own secret key I<s. Namely, the 
program vendor can analyze Ihe trouble by decrypting Ihe 
context information widiout knowing tlie secret key of the 
micropmcessor of the iLser, and the microprocessor 101 
itself can restart the execution by decrypting Ihe context 
infomiation by Mslng the own secret key Ks. 'llie user who 
does not have either key cannot decrypt the saved context 
infnmiation. Also, the user who does notktx>w tlie secret key 
Ks of die microprncejiwr 101 cannot forge the context 
information and the signamrc S^-^mcssage] with respect to 
l^Aco^-tKf] and li^Kr]. 

In order to enable the nmtually indejiendent decryption of 
die context information by the program vendor and the 
microprocessor, it is also jx^ssible to consider a metliod for 
encrypting the context infonnation directly by using Kcode. 
However, in the case where the register state is already 
known^ there is a possibility for the kaown-plaintcxt attack 
against the execution code encryption key Kcode. Namely^ 
when a vahic of the key for encrypting data is fixed, the 
following problem arises. Consider the case of executing a 
program which reads a data input by the user and writes it 
into a working memory temporarily by encrypting iL The 
data that arc to be encrypted and written into the working 
menxiry can be ascertained by monitoring the memory, so 
that the user can repeal the input many limes by changing the 
input value and obtain the corresponding encrypted data. 
This implies thai the chosen-plainlexi attack of the ciyp- 
toanalysis theory is possible. 
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The known-plainlexl attack is not fatal lo Ihe secret key 
algorithm, but it is still preferable to avoid that. I'or this 
reason, a random number Kr is generHled at a random 
number generation mechanism 252 of the exception pro- 

5 cessiug unit 131 nl each occasion of the context snviug, and 
supplied lo the context information encryption/decryption 
unit 254. The context information ciKrypt ion/decryption 
unit 254 encrypts the context by the secret key algorithm 
using the random number Kr. 'Ilien, the vahic li|p,;,^iJKr] 

10 832 in which the random number Kr is encrypted by the 
same secret key algorithm using the execution code encryp- 
tion key Kcode us atuchcd. ITic value L^Kr] 833 is 
obtained by encrypting the random numl^er Kr by the public 
key algorithm using the public key Kp of the miciopmces- 

1.5 sor. 

Here, the random number is generated by the random 
number generation mechanism 252. In the case where the 
program is encrypted, normally there is no change in the 
program codes so that the corresponding plaintext codes 

10 cannot tie acquired illegally as long as the operation is not 
analyzed. In this case, there is a need to carry out Che 
^'ciphcrtext-only attack^ in order to cryptoanalyze, so that it 
is very difficult to find the encryption key. However, in the 
case where the data entered by the user arc to be stored into 

25 the memory by cncryptmg them, the user can freely select 
the input data. For this reason, it is possible for the user to 
make the "chosen-plaintext attack" against the encryption 
key which is far more eflective than the ''cipherlext-only 
attack". 

30 AgainsL the chosen-plaintext allack, it Is possible lo adopt 
a measure lor enlarging Lhe search space by adding a random 
munbcr called **salt" into the plaintext to be protected. 
However, it is very tedious lo implement the savmg inlo the 
memory in a ibrm where Ihe "sail" random number is 
incorporated in every data at Ihe application programming 
level, so that this can cause the lowering of the programming 
efficiency ao<1 perlbraiance. 

For this reason, the random number generation mecha- 
nism 252 generates the random number (encryption key) for 

40 encryi>ting the context at each occasion of the context 
saving. As Ihe encryption key can be selected arbitrarily, 
there is also an etfect that the safe comnmnications between 
processes or between processes and devices can be realized 
faster. This is because Ihe speed for encrypting data by the 

45 hardware at a time of the memory access is far slower in 
general than the speed for encrypting data by the stiftware. 

On the contrary, if the value of the encryption key for the 
data region is limited to a prescriljcd value such as that 
identical to the execution code encryption key for example, 

5» then it l^ecomes impossible to u.se the data encryption 
function of the processor for the other programs encrypted 
by the other encryption keys or the sharing of the encrypted 
data with the devices, so that it becomes inipos.sible to take 
advantage of the fast hardware encryption function provided 

55 in the processor. 

Kotc that the decryption of the encrypted random number 
^KcodaP^] ^2 l^^t takes place at a tune of the restart and 
the generation of the signature 834 can he based on any 
algorithm and secret information as long as a condition that 

(iO they can be carried out only by the microprocessor 101 is 
satisfied. In the above example, Ihe secret key Ks unique lo 
the microprocessor 101 (which is also used for the decryp- 
tion of Ihe execution code eiKryplion key Kcode) is used for 
both, but respectively dillerent values may be used lor these 

OS purposes. 

Also, Ihe saved context contains a Hag indicating the 
presence/absence of the encryption, so that the encrypted 
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tx>ntexi inTormaUon ancl (he ncxiHjntT>pl<x3 ctinlext iolbrma- «d exceplion occurrence acUlress iDdicaUis an address a I 

tion cau coexist accordiag to the need. Jlic 'l^S size and the which ihe jump or call insiruclion is issued. Also, a value 

Hag indicating Ihe presence/absence t>l* ihe encryption are indicating illegality of the 'I'SS is stored into an interruption 

stored in a plaintext loim so thai it is easy Lo roaintain Ihe cause field in tlie I OT table, and an address of a jump target 

cooipalibility with respect to the past programs. 5 TSS is stored into a register thai stores an address that Ls the 

<Proccs.sing Cur Restarting the Interrupted Pa>gram> cause of the interruption. In this way, the OS can learn the 

At a time of rc8tarting the process bv recovering the cause of the context switching failure, 

context, the OS issues a Jump or call iustruction with respect . .'^"J^ "^^''^^ ^[ ^^^^ processing, 

uy a INS dcscrii^tor indicating the saved INS. it is also possible to use a configuration m which the supply 

Keturning now to M<;. 4. the execTition code e.Krvption m execution state encrypted by the context information 

key and signature veriacation unit 257 if the exception «ncryi>t.on.decryption unit 254 to the register file 253 and 

i ^ -4; .u • 1? r yo'^A Ihe venliciJUon processmg by the execution cxule encrypion 

pnocessnig unit 131 verifies the signature S^message] R34 ^ ^. ^^^^^ verification unit 257 arc carried out in 

by using the secret key Ks of the processor first, and sends a^aliel, and the subsequent processing is stopped when the 

the venflcation result to the exception pix)ces5nng unit 255. verilicalion lails ^ ^ » 

In Hie case where the verification result is faihire, the i.s jhe safelv of this encryption scheme using a random 

exception processing unit 255 stops the icstait of the cxccu- number depends on the impossibiKty to predict a random 

tion of the program, and causes the exception. By this number sequence used, and a method for generating hy 

verification, it is jx-issible to confirm that the context infor- hardware a random number thai is very bard lo pndicl is 

mattoii is surely generated by the proper microprocessor 101 disclosed in Onudera, el al., Japanese Patent No. 2980S76. 

that has the secret key and not ahered. zr> The analysis of the context information by the program 

When the verification of the signature succeeds^ the vendor is important in improving the quality of the program 

context information encryption/decryption unit 254 obtains by analyzing the causes of any trouble in the program that 

the random number Kr by dccr>'pting the context encryption occurred according to a condition by which the program is 

^*^y ExJ!Kr] 833 by using the secret key Ks. On the other used by the user. In this ciubodimcot. in view of this fact, the 

hand, the executk>n code enoyption key Kcodc correspond- 25 above described scheme for realizing both the safety of (he 

ing lo the program counter (EIP) 805> is taken out from the context and ihc capability of the context inlbrmation analy- 

page tabic buffer 230, and sent to the current code eocryp- sis by the program vcnd<H' is employed, but it is also true that 

lion key memory unit 251. The context information Ihe use of this scheme increases the overhead of the coniexl 

cncryptioD/dccryption unit 254 decrypts E^^^JiKr] by using saving. 

Ihe execution code decryption key Kcmie, and sends the 30 Moreover, the verijjcation of the c<.>nlcxl inlbrmation by 

result lo the execution code encryption key and signature u.sing the signature made by the microprocessor prevenls the 

vcrilicationunit257. The execution code encryption key and execution of the protected codes in the illegal context 

signature verilicalion unit 257 verities whether Ihe deciyp- information by using a combination of arbitrarily seleclctt 

lion result of E^,„^Kr] 832 coincides with the decryption value and encryption key, but Ihis additional protection also 

re.suU of the microprticessor using Ihe secret key Ks or not. 35 increases the overhead. 

By ihis verification, il is possible lo C(.>Qlirm that this context Conseipiently, in the case where there is no neetl for the 

information is generated by Ihe execution of the execution capability of the context inlbrmation analysis by the pru- 

codes encrypted by using the secret key Kcode. gram vendor or a mechanism for eliminating Ihe program 

If Ihis verilicalion of the execution code encryption key restart using the Illegal context information, the conlexl 
with re.spect to the cojitext information is not carried out, it 40 information containing information for identifying the 
wouki become possible lor the user lo make an attack by execution code encryption key may be directly encrypted by 
producing codes encrypted hy using any suital>le secret key using the .secret key of tlic processor. Liven in sucli a case, it 
Ka and applies the context information obtained by execut- is still possible to make the intentional aheration of the 
ing these codes to the codes encrypied by the other secret context cryptographically impossible, and prevent Ihe con- 
key Kb. 'ihc al)ove verification eliminates a po.<ssibi1ity of 45 text information from l>e ing applied to a program encrypted 
this attack and guarantees the safety of tlie context infer- by using a difilerent encryption key. 
mation for the protected codes. I lere, the context saving format will be described further. 

'Ihis object can also be achieved by adding a secret Its relationship with the oiwratinn will Ix de.scrilKd later, 

execution code encryption key Kcodc to the context In FIG. 10, an ^R" bit 825-1 is a bit indicating whether the 

information, but in this embodiment, by the use of the vahie 5i) context is restartable or not. When this bit is set to ttie 

^Acw«<c[Kr] in which a secret random number Kr used in execution can be restarted l^y recovering the state saved in 

encrypting the context information is cncr^'ptcd by using Ihc the context by the above described recovery procedure, 

execution code encryption key Kctxle selected by the pro- whereas when this bit is set to "(!", the restart cannot be 

gram vendor, it is possible to reduce the amount of memory made. This has an effect of preventing the restart of the 

required for saving the context information so as to achieve 55 context in which the illegality is detected during the cxecu- 

thc effects of the fast context switching and the memory tion of the encrypted program so as to limit the rcstartablc 

savmg. This also enables the feedback of the context infor- contexts to only those in the proper states, 

mation to the program creator. A "U" bit 825-2 is a flag indicating whether the TSS is a 

Now, when the verification of the execution code cocryp- user TSS or a system TSS. When this bit is set to "0**, the 

tion key and the verification of the signature by the exccu- 60 saved TSS is the system TSS, and when this bit is sot to 

lion code encrypUon key and signature verilicaLion unit 257 Ihe saved TSS is the user TSS. The TSS that will be saved 

both succeed, the context is recovered to the register file 253, and recovered through the task switching accompanied by 

and the program counter value is also recovered so that the Ihe change of the privilege lirom the exception entry as 

control is returned to an address at a time of the execution described above or through a lask gate call up is the system 

mtcrruption that caused to generate this context. 65 TSS. 

When cither one of these veriiica lions fails so that the The dillerence txslween the system TSS and the user TSS 

exception processing unit 255 causes the exception to occur, lies in whether a lask register indicating a TSS saving 
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location ol* ihe currenlly execuIcO program is lo be uptlaletl 
or QOl al a lime of Ihe recovery of the TSS. In Ihe recovery 
of the system ilSS^ the task register nf ttie currently executed 
pmgrani wilt be saved in the link to the previnus task region 
801 of Ibe TSS to be newly recvvered, and Ihe segment 
selector of the new TSS will be read into the task register. On 
the other hand, in the recovery of tlie user 'I'SS, the update 
of the task register value will not be carried out. Jlie user 
TSS is aimed only at the saving and the recovery of the 
register state of the program so that it is not accompanied by 
the change of the privileged mode. 

The exception includes a software interrupt used for the 
system call up from the application ptogram. In the case of 
the software interrupt for the purpose of the system call up, 
the general purpose register is often used for the parameter 
exchange, and iheie can be cases where ihe context infor- 
mation cooryption can obstruct the parameter exchange. 

The software interrupt is generated by the apjilication 
itself, so thai it is posifiible fur Ihe appHcaliuo to destroy 
inTurmalion of the legLsters thai have secrets^ prior lo the 
generation of the software interrupt. Under the presumption 
of such conditions, it is possible to use a scheme in which 
the encryption of the registers is not carried out only in the 
case of Uic software interrupt. Of course, in such a case, the 
applKatioQ program creator should take this fact into oon- 
sidcralion and design the program such that the secrets of the 
program can be protected. 

Next, the suppression of the plaintext program debugging 
function will be tkjscribed. 

The processor has a step execution function which causes 
Ihe inlerrupiion whenever one instruclioo is executed, and a 
debugg;iDg function which causes the exception whenever a 
mcnx)ry access with respect to a specific address is made. 
These functions may be useful ibr the development of 
programs but they can impair the safely of programs that are 
encrypted for the purpose of the secret protection. 
Consequently, in the microprocessor of Ihis embodiment, 
such debugging functions axe suppressed dunng the execu- 
tion of the encrypted program. 

The instructioa TLB 121 can Judge whether Ihe currently 
executed code is protected or not (encrypted or not). During 
Ihe execution of Ihe protected code, two debugging func- 
tions including a debug register fuiKtion and a step execu- 
tion hinction are prohibited in order to prevent an tntnuion 
of the encrypted program analysis Irum a debug Hag or a 
dd)ug register. 

'Hie debug regi.ster function is a function in which a 
memory access range and an access type such as madJng/ 
writiiig as tlie execution code or data are set in advance into 
a debug icgistcr provided io the processor such that the 
iiitermption is caufied whenever a corresponding memory 
access occurs. In this emlxidiment, diu-ing the execution of 
the protected code, (he cootcnts set in the debug register will 
be ignored so that the interruption for the purixii^e of the 
debugging will not occur. Note however that the case where 
a debug bit is set in the page table is excluded from this ruk. 
The debug bit io the page table will be described later. 

During the execution of a non-protected (plaintext) code, 
the interruption will he caused whenever one instruction is 
executed if a step execution bit in an EFLAGS register of the 
processor is set, but during the execution of the protected 
code, ibLsbil will also be ignored so that the interruption will 
not occur. 

In this embodiment, in addition lo the encryption of the 
execution codes lor Ihe purpose of preventing the analysis, 
these fiiiKtions make the analysis of the program by tlie user 
dilHcult by preventing the dynamic analysis of the program 
using the debug register or the debug llag. 
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<DaLa Protcciion> 

Next, the protection of ibe processing target data of the 
execution codes will be described. 

In this embodiment, the encryption altxibuies Ibr prolect- 

5 ing data are defined in four registers CYO to CY3 that are 
provided inside the microprocesst^r 101. They correspond to 
regions 717 to 720 shown in I'Ki. 9. In M<i.9. details of the 
registers CYO to CY2 are omitted, and only details of the 
register CY3 are shown. 

1i> Lilcments of the encryption attribute will now be 
described by taking the CTY3 register 717 as an example. 
Upper bits of the logical address indicating a to^) of the 
region to l^e eiKrypted are specified in a base address 717-1. 
The si7.e of the region is specified in a size region 717-4. A 

15 size is specified in units of the cache line so that there is an 
invalid portion at the lower bits. A data encryption key is 
specified in a region 717-5. Here the secret key algorithm is 
used so that the region 717-5 is also u.sed for the decryption 
key. When a value of the encryption key is specified as "(T, 

zr> it implies that the region indicated by that register Is not 
eocxyptcd. 

Among the specifications of the regions, CYO is given the 
highest priority, and CYl to CY3 arc given sequentially 
lower priorities in this order. For example. When the regions 

25 specified by CYO and CYl overlap, the attributes of CYO are 
given the priority over thotsc of CYl in that region. Also, the 
definition of the page table is given the highest priority in the 
case of a menoory access as the execution code ralber than 
as the processing target data. 

30 A debug bit 717-4 is used in selecting whether the dala 
operation in the debugging slate is to be uirried out in an 
encrypted state or m a plaintext state. Details of the debug 
bit will be described laler. 

FIO. 12 shows the information flow in the encryplion/ 

35 decryption of ibe processing laigel data of the execution 
codes. Here, the dala proteclioo is made only in the slate 
where the code is protected, that is the code is execulal in 
an encrypted state. Note however ihat the case where the 
code is executed in the debugging slate lo be describe<1 

M> below will be excluded from this rule. When the code is 
protected, the contents of the dala encryption control regis- 
ters (which will be also referred lo as the encfyjjtion attribute 
regi.sters or the data protection attribute registers) CYO to 
CY3 are read from the register file 253 shown in FIG. 4 Lo 

45 a data encryption key table 236 provided inside the data Tl .1 ) 
141. 

Wlien some instruction writes data into a 1ogk:a] address 
'^Addr", the data 11.11 141 Judges whedier tlie logical 
address ''Addr" is contamcd in ranges of CYO to CT3 or not 

50 by checking tlie data encryption key table 236 (see I'lCS. 4). 
As a result nf the Judgement, if the encryption attribute is 
specified, the data TLB 141 commaods the code encryption 
function 212 to encrypt the memory content by the specified 
cDcryptioD key at a time of the memory 'writing of a 

55 corresponding cache line from the LI data cache 218 to the 
memory. 

Similarly, in the case of reading, if the target address has 
the encryption attribute, the dala TT.B 141 commands the 
data decryption function 219 to decrypt the data by the 

60 specified encryption key at a time of the reading of a cache 
line out lo the corresponding LI data cache 218. 

In this embodiment, the data encr>'ption attributes are 
protected from the illegal rewriting including Ihe privilege 
of the OS by placing all the data eixnr>'piion allribules lor the 

65 data encryption in the registers inside the microprocessor 
101 and saving the coatenus of the registers at a lime o£ the 
execution interruption as the context inloimation in a safe 
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i!onn inlo a memory (the main memory 281 ol* FIG. 4, for 
example) external ol' the micruprocx^ssor 101. 

'Ilie data encryption/decryption is carried out in units of 
tlie cache line ^at is interleaved as described atxive in 
relalion lu the coalexL encryption. For this reason, even 
when one bit of the data on the LI cache 114 is rewritten, the 
other hits in the cache h'ne will be rewritten on tlie memory. 
*lbe execution of the data readino;\vriting is carried nut 
collectively in units of the cache hnc, so that the iocrcasc of 
the overhead is not so large, but it sliould he noted that the 
reading/writing with respect to tlie encryi>led memory 
regions cannot be carried oul in iiniLs less Ihun or equal to the 
cache line size. 

In the above, the method for protecting the data by 
encryption in this embodiment has been ilescribed. By this 
meltiod, on the main memory, il is possible to paicess Ihe 
encrypted data by encrypting them inside the processor by 
using the encryption key and the memory range sjieciRed l>y 
the applicaliun program, and read/write them as plaintext 
dala from a viewpoint of the application. 

Next, two mechanisms for preventing reading of the data 
stored in a plaintext form in the cache memory inside the 
pioocssor by a program other than the encrypted programs 
that has read these data (which will be referred to as the other 
program) will be described. 

First, the program is identified by its encryption key. This 
idcntillcation is made by using a key object identifier used 
at a time of decrypting the currently executed instruction 
inside the processor. Here, a value ol ibe key itself may be 
used for this identification, but a value of the execution code 
decryption key has a rather large size of 1024 bits belore Ihe 
decryption or of 128 bits after the decryption which would 
require an iocreasc of the hardware size, so that the key 
object identifier which has a loial length of only 10 bits is 
used. 

The Ll insiructioo cache 213 in which the decrypted 
execution codes are to be stored has an allribule memories 
in correspondences to the cache lines. When the decrypted 
execution codes are stored into (he Ll instruction cache 213 
by Ihe code decryption function 212, the key object idenlilier 
is written into the attribute memory. 

Also, in the case of reading Ihe encrypted dala from Ihe 
memory and decryx)ting it, tlie contents of the data x>rntection 
attribute registers CYO to <:Y3 arc read out from the register 
file 253 to a protection table management funcliun 233 of Ihe 
data '11 .1) 141. At this point, the key ol^ject identifier 
corresponding to the currently executed instruction is also 
read from the current code encrjrption key memory unit 251 
at tlx same time and maintained in the protection table 
managcmcDt function 233. 

Similarly as in the case of the instruction cache, the data 
cache 218 has attribute memories in correspondence to the 
cache fines. When the data read out tcom the memory is 
decry|)ted by the data decryption function 219 aixl stored 
into the Ll data cache 218, the key object identifier is written 
into the attribute memory from the protection table man- 
agcmcDt function 233. 

When some instruction is executed and the data referring 
is carried out, the key object identifier written in the attribute 
of the data caclie and the key object of that instrucdon in the 
instruction cache arc compared by the secret protection 
violation deleclion unit 256. If ibey do not coinckte, ihe 
exception of the secret protection violation occurs aod the 
data relening falls. In the case where Ihe attribute of the data 
caehe indicates a plaintext, the data reierring always suc- 
ceeds. 

Note that, when the attributes of Ihe iusiruclion and the 
dala do not coincide, instead of causing the exception, 11 is 
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also possible to discard the content of this data cache and 
re-read tl^ data from the memory once again. 

For example, consider program- 1 and program-2 Jjor 
which Ihe execution cwle encryption key as well as the data 

5 protection attribute registers CYO to CY3 arc dilfcreat. If the 
encrypted data referred and written into the CHche by the 
program-l Is to be referred by the p/xigram-2, the program-2 
will read out a different data, 'this operation Js in accord with 
the purpose of protecting secrets. 

II) if two programs have the same data encryption key and 
data at the same address are referred by them, the same data 
will be read so that this data can 1>e shared between them. 

In this way, in this em1x)diment, data generated by some 
program-l can be proteaed from being referred by another 

1 5 prograin-2 by 2>roviding a function tor maintaining attrilrates 
of the instruction to be executed and the data Indicating 
programs to which they originally belong, and comparing 
the attributes tn sec if tliey coincide or not at a time of the 
data referring due to the instruction execution. 

2f) <Cntry Gato 

In this embodiment, the cases where the control can be 
shifted from the non-protcctcd code to the protected code arc 
. limited only to the following two cases: 

(1) the case where the context encrypted by using the 
25 execution code encryption key (that is, the context having a 

random number) that coincides with a restart address is to be 
restarted; and 

(2) the case where the control is shifted from a non- 
protected code to an entry gate instruction ("egaie'* 

50 instruction) of Ihe protected code, by the execution of the 
consecutive codes or by a Jump or call instruction. 

This limitation is placed in order to prevent an attacker 
liom obiaining information on code fragments by executing 
Ihe code from arbitrary ptisilion. The procedure for the 

35 atiove (1) has already been described in relalion lo the 
context recovery. Namely, the control is shifted lo the 
execution of the protected code only when il Ls verified that 
the context information matching with the execution code 
encryption key of Ihe code thai was executed immediately 

4(» l)efore the interruption is contained, and that the proi)er 
signature given by the microprocessor 101 is attached. 

'fhe above (2) is a processing for prohibiting a transition 
to the execution of the protected code unless a special 
iostruclion called entry gate (*'egate") instruclion is executed 

45 at the beginning of the control in the case of shifting the 
control from the non-protected code to the protected code. 

I'Ki. 11 shows a procedure for switching a protection 
domain based on the entry gate instruction. 'Hie micrapm- 
ccssor 101 is mamtaining the encryption key of the currently 

5(» executed code in the current a>de encryption key memory 
unit 251 (see 1*1(1. 4) of the exception processing unit 131. 
First, whether the value of this key is changed in coajunctioxi 
with the execution of the instruction or not is judged (step 
601), When the change of the key value is detected (step 601 

55 NO), whether the instruction executed in conjunction with 
the change is an entry gate ('^cgate") instruction or not is 
checked next (step S602), If it is the entry gate in&tructioa, 
it implies that it is a proper instruction so that the control can 
be shifted to the changed code. Consequently, when it is 

60 Judged as an entry gate instruction (step 602 YES), this 
ins t ruction is executed. 

On the other hand, when it is Judged as not an entry gate 
instruction (step 602 NO), il implies thai Ibe interrupted 
instruction is an improper instruction. In this case, whether 

65 the iiislniction that was executed immediately previously is 
an encrypted (protected) instruction or not is judged (step 
603). If il is a non-protected instruction, the exception 
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processing can l^ke place clirecLly, bul il' il is a prulecleil 
iiLstnictiOB, there 1$ a need to cariy out the cxceptiou 
prucessing while prolecling lhat iaslniclion. 

Consequently, when it is judged as a non-piolecied 
liLstnictioD (step 603 NO), the exception processing is car- 
ried oul diiecLly, whereas when il is Judged as a prulecled 
jii5;tniction (step 6003 YliSX the noo-nftst4rtal>le exception 
procesaiug is carriec) out ^iiile maiataiaiug the protected 
state. 

Hy this limitation of the control shifting, the direct shift- 
ing of the control from a plaintext code to a code at a 
k>cation other than that of the entry gate instruction is 
prohilsited. 'ITie context recovery implies the recovery of the 
state that was already executed onoe by that program 
through tlie entry gate. (Consequently, the execution of the 
protected piogram must pass through the entry gate. By 
suppressing locatjoas for placing the entry gate to the 
niinimum necessary number in the prngram, there is an 
c£Ecct of prc;\xating an attack for guessing a program struc- 
ture by executing the program from various addnssses. 

Also, at this entry gate, the imtiafizaticm of the data 
protection attribute registers is carried out. When the entry 
gate is executed, a random number Kr is loaded into a key 
region (a region 717-5 in CY3) of the data protection 
attribute registers CYO to CY3 717 to 720 shown in FIG. 9 
The encryption target top address is set to ''0", the size is set 
to an upper limit of the memory, and the entire logical 
address space is set as the encryption target. IT Ihe debug 
attribute is not set in the executioD cx)dc, the debug bit (717-3 
in CY3) is set as nun-debugging. 

In olher words, at a liming of the encryplioD code execu- 
tion start, all the memory accesses arc encrypted by using 
the random number Kr deiermined ai a lime of the entry gate 
execution. Also, in the execution code encryption control^ 
the deHnilion in the page table is given a higher priority as 
already mentioned above. This random number Kr Ls gen- 
erated independently from the random number used in Ihe 
context encryption. 

By this mechanism, a protected program lo be newly 
executed is set to lie always encrypted by using a key 
determined randomly at a time of the start of all the memory 
accesses. 

Of course, in this state the entire memory region is 
encrypted so that il is impossible lo give parameleis of Ihe 
system call through the memory or exchange data with the 
other programs. Tor this reason, the program carries out the 
processing by sequentially adjusting its own processing 
environment by setting the data protection attribute registers 
such that the necessary memory region can be converted into 
plaintext so that it becomes accessible. I}y leaving the 
register (^Y3 with a lowest priority in the initial setting of 
being encrypted by using the random number, while setting 
the encryption key **iY* as the plaintext access setting for the 
other registers, it is possible to reduce a risk of accessing an 
unnecessary region as a plaintext and writing data to be kept 
in secret by encryption oul to a plaintext region by error. 

The contents of the registers other than the data protection 
attribute registers arc not encrypted even in the initiali/ation 
at the entry gate, and pointers for specifying locations of 
stacks or parameters can be stored therein. However, cares 
shouki be taken in the processing of the program lo be 
executed through the entry gate so that secrets of the 
program will not be slolen by calling up the entry gale by 
selling illegal values into the registers. 

It is also possible to use a configuration for initializing all 
the registers other than Ihe Hags and Ihe program counter, 
including the general purpose registers other than the data 
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protection attribute registers, at the entry gale in the case uf 
anaching more importance to the safety, even though this 
provision makes the programming more restricted and the 
eHidency poorer. Even in this case, Ihe parameters such as 

5 stacks can be exchanged through a memory region specified 
by a relative address or an absolute address of the program 
counter. Note however that, similarly as in tlw case of the 
coutext saving, the system registers including a part of the 
flag registers and the taslc register are excluded from a taiget 

11) of the encryption or the initialization of the registers for the 
sake of continuation of the OS operation. 

In this way, in the microprocessor 101 of this 
embodiment, the fragmental execution of tlie protected code, 
especially the illegal setting of the data protection state, is 

ts prevented, as the finit instmction to Iw executed at a time of 
shifting ±e control from the piogram in the plaintext state to 
the protected program is limited to the entry gate instruction 
and the registers including the data protection attribute 
registers arc initialized by the execution of the entry gate 

20 instruction. 

Next, the execution control of the protected program will 
be described. First, the call up and the branching that arc 
ck>sed within the protection domain will be described. The 
call up within the protection domain is exactly the same as 

25 that for the usual programs. FIG. 13 shows tbc call up and 
the branching within the protection domain conceptually. 

The execution of the code 1101 in the protection domain 
is started as a thread 1121 outside the pro lection domain is 
branched into an "egate" (entry gate) iostmction of the 

30 protection domain. By the execution of the ''egale*' 
instruction, all the registers are initialized, and then the data 
protection attributes arc set up sequentially by the execution 
of the program. The control is shii'ted to a branch taiget 
"xxx" IIU in Ihe proleclion domain by a "jmp xxx" 

35 instruction (processing 1122), and a "call >'yy" insiruclion 
located al an address ''ppp" 1112 is executed (processing 
1123). The calling source address '^ppp** 1112 is pushed into 
a slack memory 1102, and the control is shifted to a call 
target "yyy" 1113. When the processing al Ihe call target is 

4t) completed and a "ret" instmction is executed, the control is 
shifted lo a return addres.s ''ppp" 1112 in the slack. There is 
no limitation on the execution control while the execution 
code encryirtion key remains the same. 

Next, the call up and Ihe branching from a proleclion 

45 domain to a non-protection domain will be described, l-or 
this control shifting, the execution of a special instruction 
and the oj)eration of the user 'J'SS to be described below will 
be carried out in order to avoid a shifting from a protection 
domain to a non-protection domain that is not intended by 

5i> the program creator and to protect the data protection state. 
i-'Ki. 14 shows the call up and tlie branching from a 
protection domain to a non-protected dcmstin conceptually^ 
where an execution code 1201 of tlie protection domain and 
an cxeaition code 1202 of tbc non-protection domain are 

55 placed in respective domains. Also, a user TSS region 1203 
and a region 1204 for exchanging parameters with tbc 
non-protection domain arc provided. 

The execution begins when a thread 1221 executes the 
cgatc** instrucdon. The program of the protection domain 

(M) saves the address of the user TSS region 1203 in a prescribed 
parameter region 1204 before calling up Ihe code of the 
non-protection domain. Then, the code of the non-protection 
domain is called up by executing the ''ecall" instruction. The 
"ecall" instmction lakes two operands. One is a call taigel 

t>5 address, and the other is a saving target of the execution 
state. The "ecall" insiruclion saves ibe register slate at a lime 
of the call up (or more accurately the register slate when the 
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program uiunter is in a slale al'ler Ihe "ecall" iDslrucliuD is Al a lime of Ibe leoovery of (he user TSS by Ibe 

issued) inlu a regiun specitied by Ibe operand ''uTSS", in a applicuinn, an attack for Mibstituting the U!;cr TSS by t^c OS 

format similar to that in the case of the encrypted 'ITiS whicb has privileges is nul entirely impossible. However, tbe 

described a)xwe. In the Mlowing, this region will be inlerchangeable TSS inTormation in siich a case is only Ibe 

referred lo as a user TSS. 5 context ioformalion whose execution is always started 

The difference between the user TSS and the system TSS ~ through the "egate" and which is saved by the saving of the 

lies in that, in the user ivgisler shown in FIO. 10, a U flag «»sculion stale caused by the inlerruplion or by the user 

is set in a rcgioa 825-2 on the TSS. The difference in the explicitly, as long as the execution code enciyption key of 

operation will be described later. In the saving of the user the pratection domain Ismanagedcorrecilv. ApM»n>ility for 

rSS into the memory, the data protection attributes defined the lealcage of the secrets of the application due to the 

m the data protecUon attribute registers CYO to CY3 by Ihe '» interchange of this conlexl inlbimalion is quite small, and il 

user are not allied, similady as in the case ol the saving of quftc difficult for an attacker to guess what kind of Ibe 

the conlwrt mfotmation mto the system TSS context information interchange is neoessarv in acquiring 

IliecallUirgislcodeoCUienun-prolecliondomamcannul the secrete of the aimlication 

exchange parameters because the registers arc initialized by L , . ^ . 

Ihe exeLll™ of the "ecall" insltuc^on. For this reason, thS „ ,„7^« procedure tor caU »P from the pr«cctipn domain to 

parameters arc acquired from a prescribed address -param" " ttJC "on-protection domam dcscnbed above is ako appb- 

1204. and the nc(5ssary proocs^ng is earned out. There is * procedure for sh.fting the wntrol between the 

no likiitalion on die prograimi^ in the non-protection Z'^T^ ^T^l^^ ^.^'^"^''^ ^' *' 

domain. In die example of FIG. 14. a sub-rouline "qq<," ^ *^ « mstfuction o£ the calling source 

1213 is called up (processing 1225). The call up from the ,„ • .u , _ .u . .• j 

protection domain mo be ad^ted to the call up semantk:s of ^ case, Uic caU up between the protecUon domains 

(he sub-rouline "qqq" by pla<Iing an adaptor ixle for copy- «ncryp«mg the region lor 

ing slack pointer s2lli,i and the paianLleis to the slack. t^^^^^ ^^^^^T^'f these protection domains. 

bJUen W and the lall up of iqqq". for example. llSe f ? '""^P*'"" '^';>- ''^ared by carrying ou the 

processing result Is sent to the calling source through the «"lhe?l^»hon key exchange between these pioleclion 

parameter region 1204 on the memory (processing 1226). 25 o^mains in auvatice. ...... ... 

When the prWsing of the sub-ioutinc is completed, a fc.vnbcd. according to the m,croproce«ior of the 

"sret" inslriction is iiued in order to return the .^ntrol to P^'f T I aI "«=""'^V"^7'''« l"'^'"' '"'i*' 

the calling source protection domain (proces.sing 1227). ^ or a Unrd parly by prolecling both the 

TUc "sref instrCictioa takes one o^srand for spccilying the processing tatgetdaia of ihe execu- 

thc user TSS. unlike the "ret" insmiction that has no 30 »>y «»•« encryption, under the multi-task 

nperand. I iere, the user IKS 1203 is .specified iixlirectly as •nvifonment. 

the recovery inrormalioo Uuough a pointer stored in the '".PW^W't Ihe lUegal rewnling 

parameter region -param" 1204 The recovery of the user '"'"yption attributes in the case of saving the 

TSS by the "srcf instruction largely difers from the iccov- ei^OTwa 

ery of Vhe system ISS in that the'laik register is not affected „ fji'*^ijM'"L"T T • IT'^ the «ncfypt<d data 

ai all even when the user TSS is rea^red. The usk link " '^'Sal att^ks by using arbitrary random number Kr 

fleM of Ihe user TSS will be ignored. Tbc recovery will fell " ^ ^"""f, encryption key for the 

when the system TSS with the U flag 825-2 set to "0" is pn>ces.sine target dau. , .u . w 

speciU«1 in the operaml of Ihe '<»tel" inslniclion. „ f^''^'^ V<.^^^o to canry out Ihe '^bugging m 

Al a time of the execution of the recovery, the decryption P'"""'** "^7^^" ^'""^ ^"^^'^ iocdbick on 

of the execution state and the verification of the exertion *" ^0 cffors can be piovulcd to the program vxndor who knows 

code encvption kev and the signature already described "»» «x«aihon code enctypUon key. 

above are carried oul. and when the violation is delected, Ihe ^! .''t^T*? ^ ^V"^ T^.*'*^'* 

exception oflbe secret proleciion violation will occur. When '^'^J^ miooproccMor and suppress the cost of he 

die ^irification succeed^ tl« execution is restarted from an '»^<"J>'^' saving information that required the 

instruction next to the calling source "ecall" iiistmaion. Iliis « pro lecUon such as the encrypUoo allnbule inrormalion 

address is encrypted and signed in the user TSS, so that il is "° f * Signature ol the 

ctyptographiciU^ impossible to forge this add^. AU the '"'^'opro'^^.^r. reading only the neees.sary ponion into he 

registei; except for the program counter will be set back to ^^'.f f . """1.*'''' m,croproees.sor. and carrying out the 

the state before die call ip, % Uiat the code of the protection T "'^ r^** signature al a lime ol readmg. In this 

domain acquires the execution result of the sib-routinc 5.. "^^Z' SJ^^^ / 

"cxx" from the patamctCf region 1204. reading can also lie guaran eed 

At a time of shifting Ihe^ntrol to the non-protection Jt-s also to be noted th at, l>es.desth,ise already rrjentic^^ 

domain after Ihe proc^sing ol the protection domain is modilicalioi^ and vanahons ol above 

completed, an "cjmp" insSuction iT used. The "eimp'- ^"^"^"^ "^^ '^t^^ without dcpanmg fiom the 

instmction docs n« carry out the saving of the state, unlike „ ""^J Jf** advantageous fcMiu«i of the present inveouon. 

Ihe -ecaU" insU»ctk,n. If Ihe control is shifle.1 ^^m Ihe " ^'^^ff'V"? t^S^ *^ /i"**'*""J'5 

pioleclion domain lo the non-protection domain by Ihe " '^^'^ ^""^ '"c scope of the appended 

instruction other than "ccall" and "cjmp", such as "Jmp" or ^JSt', j- 

"call", the exception of the secret protection violation occurs woai is ciaimea is. 

and the encrypted conlexl in[otaIalk>n is save<l in the TSS ?• .nicropmcessor having a unique secret key and a 

region (a region ialicaled by the task register) of Ihe system. •» T''"" ^^^^ key correspondmg to the unique secret key 

Note that the context informatmn will be marked as non- """^ """"^ ^ «'"'=n«'l. cumpiUiUiB: 

resurtable at this point. Note also that sjiecifying an address " "nil conUguted lo read ihiI a pluraUly of 

in lie proleciion domain as a jumping Uigel of die -^ejmp" progranis encrypted by u.sing different execution code 

instruclicHi does not cause ihe violation. eiKryption keys from an external memory; 

'lliis completes the description of a procedure for call up US a decryption unit configured to decrypt the phirality of 

from the protection domain tr> the non-protection domain programs lead oul by the reading unit by usiiig respec- 

and newly added instructions used in thai procedure. live decryption keys; 
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»n cxeculioD unil conligun^l lo execute the pluiality of 
programs decrypted by the decryption unit; 

a context information saving unit configured to save a 
context information for one program whose execution 
is to be interrupted, intf> the extemat niemnry nr a 
context information memory provided inside ttie 
micropn^essor, the context information containing 
information indicating an execution state of tlie one 
program and the execution code encryption key of the 
CDC program; aod 

a restart unit configured to restart an execution of tlic one 
program by reading out the context information from 
(be external memory or the coni<$xt inTormiilion 
memory^ and recovering tbc execution state of the one 
program Lrura the conLexL informaiiun; 

wherein the wntext information saving unit is configured 
lo generate a random number as h temporary key, to 
encrypt the context inlormalion, and lo save an 
encrypted context information into the external 
memory, the encrypted context inlbrmalion containing 
a firM vahit obtained by encrypting information indi- 
cating the executlou state of the one program by using 
the temporary key and a second value obtained by 
cncryi)ting the teiuporary key by using llic public key; 

the restart unit is configured to restart the execution of the 
ODC program by leading out ttic encrypted context 
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ioformalion from Ihe external memory decrypting the 
temporary key fmm the second value contained in the 
encrypted context information by using the secret key, 
decrypting the inlbrmaiion indicating the execiilion 
state fmm the first vahie contained in the encrypted 
context information by using a decrypted temporary 
key, and recovering the execution stale of the one 
program from a decrypted context infomiation; and 
the context infonnalion saving unil sav«a» the encrypted 
aintext informatk>n that also contains a third vahic 
detained by encrypting tlie temjmrary key by using the 
execiilion cude encryplion key of the one program. 
2. 'llie microprocessor of claim I, wherein the restart unit 
15 decrypts a iirsi lempomiy key Irom the second value c*od- 
taincd in the encryjned context information by using the 
secret key and decrypts the infomiation indicating the 
execution Mate from the first value contained in the 
encryjited context information by using the first decrypted 
20 temporary key, while decrypting a second temporary key 
fmm the third value contained in the encrypted c<,^ntext 
information by using the execution code encryjrtion key of 
the one program, and restarts the execution of the one 
program only wlien the first decryjited tenijxirary key coin- 
2S cidcs with tbc second dccx>'ptcd temporary key. 
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